Roku has mandated two-factor authentication (2FA) for all users following two credential stuffing attacks that compromised approximately 591,000 customer accounts and led to fraudulent purchases. The Register reports: Credential stuffing and password spraying are both fairly similar types of brute force attacks, but the former uses a known pair of credentials (username and password). The latter simply spams known usernames with common passwords in hopes that one of them will lead to an authenticated session. “There is no indication that Roku was the source of the account credentials used in these attacks or that Roku's systems were compromised in any of the incidents,” the company said in an update to customers. Ta. “Rather, the login credentials used in these attacks were likely obtained from another source, such as another online account, and the affected users may have been using the same credentials. .”
Currently, 2FA implementation is required for all accounts, whether or not they have been affected by a wave of breaches. Roku has more than 80 million active accounts, so only a small percentage were affected, and all of them were issued with mandatory password resets. All users, compromised or not, are encouraged to create a strong, unique password for their account that consists of at least 8 characters with a combination of numbers, symbols, and upper and lower case letters. […] Roku also reminded users to always be on the lookout for suspicious activity on the service, such as phishing emails or clicking on dangerous links to reset passwords. “Finally, we sincerely regret that an incident like this occurred and any confusion it may have caused.” “The security of your account is our top priority, and we are committed to protecting your Roku account.”