Roku Makes 2FA Mandatory for all After Nearly 600K Accounts Pwned

What Happened?

After attackers accessed around 591,000 customer accounts this year, Roku is making 2FA mandatory. Over two separate incidents, the first affecting 15,363 accounts and the second affecting roughly 576,000. In these cases, the attackers used the accounts to purchase streaming subscriptions and hardware stored in users accounts, the company has confirmed.

Every one of these account holders has been reimbursed, Roku said, and in no cases were the attackers able to access any sensitive information, including "full credit card numbers or other full payment information."

How Were the Accounts Compromised?

According to the data breach notification letters issued in the US on March 8, social security numbers, dates of birth, and other similar information also remain unaffected.

Roku says its systems appear to be safe from compromise too. The company reckons the accounts were accessed via credential stuffing attacks that used stolen credentials from other sources.

What is Credential Stuffing?

Credential stuffing and password spraying are both fairly similar types of brute force attacks, but the former uses known pairs of credentials (usernames and passwords). The latter simply spams common passwords at known usernames in the hope one of them leads to an authenticated session.

"There is no indication that Roku was the source of the account credentials used in these attacks or that Roku's systems were compromised in either incident," it said in an update to customers.

"Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials."

The UK's NCSC still recommends creating passwords consisting of three random words – one that's still long and strong enough to satisfy complexity checks.

Josh Hickling, Pentest People Featured Comment 

"This highlights the need to utilise unique passwords with a password manager," said Josh Hickling, principal consultant at Pentest People. "Had the users of the site not reused their passwords, they wouldn't have been affected.

"With Apple Keychain, or a third party like 1Password or LastPass on Android, it's easier than ever to manage a base of unique passwords. This mitigates the risk of your password being exposed on a third-party site and affecting you across different systems."

Roku also asked users to remain vigilant to suspicious activity regarding its service, such as phishing emails or clicking on dodgy links to rest passwords – the usual stuff.

"In closing, we sincerely regret that these incidents occurred and any disruption they may have caused," it said. "Your account security is a top priority, and we are committed to protecting your Roku account." ®

Featured in "The Register" article here: https://www.theregister.com/2024/04/15/roku_2fa_for_everyone/

Additional Comments from our Team

“Keychain can hide your email address also which provides you with a unique email address for each log in. This further improves your defence against such attacks.” Rich Newton, Pentest People.

"This type of compromise highlights the importance of mandating multi-factor (MFA) authentication on accounts. In an ideal world, service providers would force MFA from sign-up as it benefits both customers and service providers to harness this security feature. MFA should be out of band and not use email, especially if the email address is the account being used in the credential stuffing attack." Chris Burton, Pentest People. 

‍