0
0
Roku TV and Streaming Device Users Required to Implement Two-Factor Authentication
Following the disclosure of two incidents involving unauthorized access to customer accounts through credential stuffing, Roku has mandated the implementation of two-factor authentication for all users of its TV and streaming devices. Credential stuffing refers to a malicious attack where login credentials leaked from one source are utilized to gain unauthorized access to other accounts by automated means.
In situations where individuals reuse login credentials or make minor variations, bad actors can exploit this vulnerability to infiltrate accounts and potentially access sensitive information, such as stored payment methods on the Roku platform. While Roku disclosed that purchases were made in less than 400 instances, it reassured its users that full credit card details and other highly sensitive information were not exposed.
Scope of the Breaches
The first incident, which occurred earlier in the year, affected approximately 15,000 user accounts. Subsequently, Roku detected a second breach that impacted 576,000 accounts, emphasizing that these incidents were a mere fraction of the platform’s more than 80 million active accounts. Acknowledging the severity of the situation, Roku is committed to enhancing its security measures to prevent similar attacks in the future.
Those impacted by the breaches will have their passwords reset and will receive notifications regarding the unauthorized activities. Additionally, any unauthorized charges will be reversed. Moving forward, all Roku account holders will be required to verify their identities by following a link sent to their registered email address. Alternatively, users can utilize the device ID of any associated Roku device for account verification.
For users seeking to proactively enhance security measures, manually triggering the two-factor authentication process is advisable, particularly for current and former Roku customers.
Insights from Security Experts
According to security blog BleepingComputer, compromised Roku accounts were reportedly sold for as little as 50 cents each following the breaches. These illicitly obtained credentials were likely acquired through readily available credential stuffing tools capable of circumventing brute-force protections using proxies and other methods. Notably, there were speculations linking Roku’s recent updates concerning Dispute Resolution Terms to the unauthorized activities, although Roku has clarified that these modifications were unrelated to the security breaches.
Image/Photo credit: source url
