Video streaming device maker Roku has said that more than half a million users had been impacted by a cyberattack.

The company on Friday said that it identified that approximately 576,000 accounts had been impacted by a breach. It discovered the breach while conducting a separate investigation into a separate attack that affected 15,000 user accounts earlier this year.

Roku said that the attackers did not gain access to any sensitive information such as full credit card numbers, and that there were less than 400 cases where information was used to make unauthorised purchases using stored information.

The information, Roku said, was stolen from another source unrelated to the company through a method known as credential stuffing – a type of automated cyberattack where fraudsters use stolen usernames and passwords from one platform and attempt to log in to accounts on other platforms.

Taking steps to protect users, Roku said that it had reset passwords for all affected accounts and that it would refund or reverse charges for any unauthorised purchases. It also said that it had enabled two-factor authentication (2FA) for all Roku accounts, even for those that have not been impacted by the incidents.

The attack has underlined the need for users to remain vigilant in their approach to account management, commented Jamie Boote, associate principal security consultant at the Synopsys Software Integrity Group, who added that the implementation of 2FA “may be inconvenient” but could prevent “more serious compromises in the future”.

“Mandating 2FA services in those situations is a positive step and is commonly seen by users when the service pauses the logon process until the user clicks the link in an email or provides a code sent via text message," Boote said.

---