Cyber Attacks

Roku Discloses Cybersecurity Incident Affecting Over 570,000 User Accounts

Roku has disclosed a cybersecurity incident that resulted in unauthorized access to more than 570,000 user accounts, marking one of the largest account takeover events to impact a major streaming platform in recent months.

The company said in an official security update that the breach did not stem from a compromise of its internal systems. Instead, the activity was attributed to a credential stuffing campaign, in which attackers used previously exposed usernames and passwords from unrelated data breaches to gain access to Roku accounts.

Credential Stuffing Campaign Targets Streaming Accounts

Roku said threat actors used reused login credentials to access approximately:

576,000 accounts in the primary incident
15,000 accounts in an earlier wave identified in March

Credential stuffing attacks rely on password reuse across multiple platforms, allowing attackers to automate login attempts using credentials obtained from other breaches.

Reporting from BleepingComputer indicated that some compromised Roku accounts were later listed for sale on online marketplaces, in some cases for as little as $0.50 per account.

Unauthorized Purchases and Limited Data Exposure

Roku said that for a small subset of compromised accounts — fewer than 400 — attackers were able to make unauthorized purchases of streaming subscriptions and digital content using stored payment methods.

The company said exposed account data may have included:

Names
Email addresses
Partial payment card details

Roku emphasized that full credit card numbers were not exposed.

Company Response and Mitigation Measures

Following the detection of suspicious activity, Roku said it took immediate steps to contain the incident, including:

Resetting passwords for impacted accounts
Revoking active user sessions
Monitoring for suspicious login activity

The company also implemented additional safeguards, including requiring two-factor authentication (2FA) across its platform.

As reported by The Verge, the requirement applies to Roku’s broader user base of more than 80 million active accounts.

Growing Threat of Account Takeovers

Security analysts say the Roku incident reflects a broader trend of account takeover (ATO) attacks targeting consumer platforms that store payment data.

3D render of an open safe filled with files on a blue circuit board, with a red laser beam shooting from the lock, symbolizing unauthorized access to Roku user accounts.

These attacks are effective because they exploit common user behavior, particularly password reuse across services.

Platforms frequently targeted include:

Streaming services
E-commerce accounts
Gaming platforms

These environments present immediate monetization opportunities through fraudulent purchases or resale of account access.

Security Implications

The incident underscores the continued effectiveness of credential-based attacks, even in cases where there is no direct compromise of company infrastructure.

Security experts recommend:

Using unique passwords for each account
Enabling multi-factor authentication (MFA)
Monitoring accounts for suspicious activity

As account takeover campaigns continue to scale, the Roku breach highlights the importance of stronger identity protections across consumer platforms.

CrowdStrike Brought Falcon AIDR to Kubernetes. AI Runtime Security Is Now a Five-Vendor Market.

Tycoon2FA Came Back in Weeks. The OAuth Device-Code Variant Uses Microsoft's Own Login Page Against M365.

Grafana Refused the CoinbaseCartel Ransom. The pull_request_target Pwn Request Just Hit Its Second Major Vendor.

CrowdStrike's 2026 FinServ Report: DPRK Took $2.02B Off the Sector, PRESSURE CHOLLIMA's $1.46B Is the Largest Ever