Roku: 576K accounts hacked in second data breach of 2024

Roku (ROKU) has announced a data breach in which hackers gained access to 567,000 streaming accounts — the streaming company's second security incident this year. Yahoo Finance reporter Dan Howley joins Wealth! to discuss how the breach affects Roku and its consumers.

Howley explains Roku's first breach of the year involved 15,000 Roku users and was executed via a "credential stuffing" method, wherein passwords from separate accounts matched users' Roku credentials. After the incident, a Roku investigation showed that hackers had accessed an additional 567,000 accounts using the same technique. Roku is mitigating the breach by resetting passwords for the hacked accounts, but states that no sensitive information was stolen.

Howley adds that it behooves consumers to use two-factor authentication to reduce the risk of security violations.

For more expert insight and the latest market action, click here to watch this full episode of Wealth!

This article was written by Gabriel Roy

Video Transcript

- Well, Roku announcing a data breach in which hackers gained access to 576,000 accounts. This is the streaming company's second data breach this year. For more on how this could impact you, we turn to Yahoo Finance tech editor, Dan Howley. Dan, what do we know about this so far?

DAN HOWLEY: Yeah, Brad. The first breach happened with 15,000 Roku users accounts. The company says this was through a method called credential stuffing. Essentially what that means is, hackers or attackers took someone's username and password from one site and then said, well, people are dumb, they probably reuse their stuff, and put it into their Roku accounts, and voila, they got access to 15,000 accounts.

They went through, they studied that, and they found a second incident where 576,000 accounts were impacted through the exact same way, where someone had said people are dumb we'll pull their username and password from X site and plug it into Roku, and bam, it worked. Roku says that they're working to mitigate this. They're resetting passwords for the affected accounts.

They say in less than 400 cases, the attackers had actually logged in and then made purchases through streaming services related to the Roku account. So that means that someone went in and bought a movie, or bought a subscription to HBO Max or something like that, or just Max, and it was a relatively small number. They also point out that it's, the 576,000 is a small fraction of the 80 million accounts that they have.

Now, I think the bigger thing to point out here is the account stuffing, the credential stuffing issue, right? So as I said, it's just a means where they take a username and password from one account, and then push it into another account to see if it works. And look, I'm as dumb as everyone else so I do the same thing.

And so I think it just behooves everybody to use what's called two-factor authentication, where you'll get a text message or a notification for an app through an app or email, that you're trying to log in and then confirm it that way. And this way, you'll A, get a heads up that someone is trying to log into your account, and B, they will get shut out when you don't approve that login through that two-factor authentication.

But I mean, it really does just speak to the general idea of cybersecurity hygiene of using different usernames and passwords. It's difficult, I know, as I said, I'm not the best at it but I think two-factor authentication is a good way to try to play the best of both worlds.

- Dan, what happens next? Is Roku likely to then reach out to some of the impacted accounts here, and what goes forward in terms of the data that was compromised and potential legal action that might come forward as well, those who are looking for some type of settlement here as well.

DAN HOWLEY: Yeah. So they said that no major information was stolen. So things like credit card data, things like that, they weren't impacted. It's just that people may have had things, payment methods stored, and so when you have a payment method stored on a website you can just click a button and you can purchase something really quickly.

I tend to try to not save my credit cards on websites, at least those I don't use very often, because of this exact reason. If someone gets access to the site, well then they can start buying stuff with my card. And while I have notifications turned off for my card, I just don't want that to happen at all. And I think, as far as what Roku is doing, as I said, they're kicking, they're kicking those users out, the hackers, or they have already. They're resetting passwords.

As far as legal action, I'm not sure exactly. This seems to be not an issue with Roku's accounts, at least according to this statement that they released, but just a general practice that people have, where they just reuse login credentials. And so if you do that, you're setting yourself up for potential issues like this. So I imagine that what's going to happen is, we're just going to have people who have Roku accounts get notifications to update and turn on two-factor authentication even if they weren't part of this, just so Roku can cover its P's and Q's.

- Yeah. And in that case, there would be no compensatory damages, maybe just some emotional damages out there for folks who had a hacker finish the series that they were only in the midst of, and hadn't gotten too deep into. Dan, thanks so much for taking the time. Appreciate it.