Roku warns that 576,000 accounts were hacked in new credential stuffing attacks after disclosing another incident that compromised 15,000 accounts in early March.

The company said the attackers used login information stolen from other online platforms to breach as many active Roku accounts as possible in credential stuffing attacks.

In such attacks, the threat actors leverage automated tools to attempt millions of logins using a list of user/password pairs, with this technique being particularly effective against accounts whose owners have reused the same login information across multiple platforms.

"After concluding our investigation of [the] first incident, we [..] continued to monitor account activity closely [and] we identified a second incident, which impacted approximately 576,000 additional accounts," Roku said on Friday.

"There is no indication that Roku was the source of the account credentials used in these attacks or that Roku's systems were compromised in either incident."

"In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information."

As BleepingComputer reported in March, threat actors are using credential stuffing attacks with Open Bullet 2 or SilverBullet cracking tools to compromise Roku accounts, which are then sold for as little as 50 cents on illegal marketplaces.

The sellers also provide information on using the stolen accounts to make fraudulent purchases, including Roku streaming boxes, sound bars, light strips, and TVs.

Password resets and 2FA enabled by default

After discovering this second wave of credential stuffing attacks, Roku has reset the passwords for all impacted accounts and is notifying affected customers directly about the incident.

The company will also refund and reverse charges for accounts where the attackers used the linked payment information to pay for Roku hardware products and streaming service subscriptions.

Since the last incident, Roku has also added support for two-factor authentication (2FA) and has now enabled it by default for all customer accounts, even for those that these recent attacks have not impacted.

Customers are also advised to choose strong and unique passwords for their accounts and alert Roku's customer support if they receive requests to share their credentials, update their payment details, or click suspicious links.

Last month, Roku disclosed another data breach that impacted an additional 15,363 customers of a total of over 80 million active users after their accounts were also used to make fraudulent purchases of streaming subscriptions and Roku hardware.