Another company has essentially been pushed into the multifactor authentication age, as two successful credential stuffing attacks since the beginning of 2024 have caused Roku to now require all users to log in with 2FA.
At the moment, the company only supports email 2FA. Upon login, users are seeing messages indicating that Roku has sent a verification message to the email address associated with the account. The most recent of the credential stuffing attacks did not impact most of the service’s 80 million users, but the new policy will apply to all anyway going forward.
Limited 2FA not much, but better than nothing
Given that the credential stuffing attacks appear to have been fed by prior data breaches at other organizations, email 2FA may well have stopped them (assuming that the email address in question did not also share the same credentials). Roku’s 2FA is not robust, however, with a number of workarounds including substituting the last five digits of any Roku device ID belonging to the account.
The company is one of the biggest in the streaming market, with a total of about 80 million customers. In total only about 591,000 of these were impacted by the credential stuffing attacks, presumably due to using recycled logins leaked in some other breach elsewhere. The incident is nowhere near the scope of the Plex attack in 2022, which involved tens of millions of accounts and exposed encrypted passwords.
While it is better than nothing, security experts generally agree that email- or message-based 2FA is inadequate account protection. However, at the moment, Roku is not offering other MFA options. Cybersecurity is generally not seen as a high priority for streaming accounts given the limited damage that can be done with them if they are taken over by criminals, though there is always some level of concern (and call for good security hygiene) when stored payment information is present.
Account security changes prompted by two credential stuffing attacks in four months
The more recent of the credential stuffing attacks was the more serious, impacting about 576,000 Roku accounts. The earlier attack took place from late December into February but ultimately compromised only about 15,000 accounts. Roku did not provide any indication of where the credential information was sourced from.
Only those that had their accounts compromised will be prompted to reset their password, but all Roku accounts are now required to use email 2FA going forward. The company said that for about 400 of the breached accounts, the hackers used saved payment methods to purchase hardware (such as TVs and streaming boxes) though they were not able to view stored card numbers. The company said that it is refunding all users that experienced these fraudulent purchases during the wave of attacks.
When stored payment methods are not present, Roku accounts are not particularly valuable. They have been seen trading for an average price of about 50 cents USD on the dark web, with the only value being the paid video content that they have access to.