Roku Credential Stuffing Attacks Compromise 576,000 Accounts

On April 12, 2024, Roku disclosed that approximately 576,000 customer accounts had been compromised through credential stuffing attacks. This was actually the second disclosure; a first wave in March had identified 15,363 compromised accounts. The subsequent investigation revealed a much larger second wave affecting approximately 576,000 additional accounts.

Credential stuffing is not a sophisticated attack. It works because people reuse passwords across multiple services. When credentials from one breach are tested against other services at scale, a predictable percentage of them work. In Roku's case, the attack did not exploit any vulnerability in Roku's systems. It exploited the human tendency to reuse passwords.

What Happened

The attackers used automated tools to test large volumes of username-password combinations, obtained from previous data breaches at other companies, against Roku's login system. When a combination matched, the attacker gained access to that Roku account.

In the first wave, discovered in January 2024 and disclosed in March, approximately 15,363 accounts were compromised. Roku's investigation into that wave uncovered a second, larger wave affecting approximately 576,000 accounts.

For fewer than 400 of the compromised accounts, the attackers went beyond simple access. They used stored payment methods on those accounts to make unauthorized purchases, including Roku hardware subscriptions and streaming service subscriptions. The attackers changed the email addresses and passwords on these accounts to lock out the legitimate owners.

Roku emphasized that the attackers did not gain access to full credit card numbers or other complete payment information. Roku's systems store only partial payment information. However, the stored payment methods could be used to make purchases within the Roku ecosystem without requiring the full card number.

The Credential Stuffing Epidemic

Roku's incident was one of many credential stuffing attacks that hit major services in 2023-2024. The attack pattern is well-established:

1. Billions of username-password combinations are available from previous data breaches
2. Automated tools test these combinations against target websites at high speed
3. Accounts where users reused their passwords are compromised
4. Compromised accounts are monetized through fraud, resale, or further attacks

The success rate for credential stuffing is typically low, often less than 1%. But when the input is millions or billions of credential pairs, even a fraction of a percent success rate yields thousands of compromised accounts.

For Roku, the numbers tell the story. The company has over 80 million active accounts. If the attackers tested tens of millions of credential pairs with a sub-1% success rate, 576,000 compromised accounts is entirely consistent with the expected yield.

Other major credential stuffing incidents in the same period included:

• PayPal (December 2022): 34,942 accounts compromised
• Norton LifeLock (January 2023): 925,000 accounts compromised
• 23andMe (October 2023): 6.9 million profiles accessed through compromised accounts
• The North Face (August 2023): An undisclosed number of accounts compromised

The common factor across all of these is password reuse by end users. No vulnerability was exploited. No systems were hacked. Users simply used the same password for their Roku account as they did for another service that had been breached.

Roku's Response

Roku took several steps in response to the attacks:

Password resets: The company forced password resets on all 576,000 compromised accounts and refunded or reversed unauthorized charges on the fewer than 400 accounts where fraudulent purchases were made.

Mandatory two-factor authentication: Roku enabled two-factor authentication for all accounts, regardless of whether they were compromised. This was the most significant response, as it addressed the root cause by adding a second factor that credential stuffing cannot bypass.

Account monitoring: Roku enhanced its monitoring for suspicious login activity, implementing additional detection mechanisms for automated login attempts.

Customer notification: Affected users were notified via email with instructions to create a new, unique password and verify their account settings.

The mandatory MFA deployment was notable because it went beyond what most companies do in response to credential stuffing. Many companies simply reset passwords for affected accounts and recommend (but do not require) enabling MFA. Roku's decision to require MFA for all accounts was a meaningful step toward eliminating credential stuffing as an effective attack vector against its platform.

The Password Reuse Problem

Credential stuffing exists because password reuse is endemic. Despite years of security awareness campaigns, password managers, and breach notifications, a large percentage of users continue to use the same or similar passwords across multiple services.

Studies consistently show that:

• 65% of people reuse the same password across multiple accounts
• The average person has over 100 online accounts
• Only about 30% of users employ a password manager
• Even users who know the risks often reuse passwords for "low-value" accounts, not realizing that those accounts can be stepping stones to higher-value targets

The Roku incident illustrated this last point. Users may have considered their Roku account "low value" and reused a password from another service. But their Roku account had stored payment methods that could be used for purchases, making it a target for direct financial fraud.

Bot Detection Challenges

One of the challenges Roku faced was detecting and blocking the credential stuffing attempts. Attackers use sophisticated techniques to evade bot detection:

Distributed attacks: Using botnets or residential proxy networks to spread login attempts across thousands of IP addresses, avoiding IP-based rate limiting.

Slow and low: Throttling login attempts to stay below rate limit thresholds, making the attack traffic look more like normal user behavior.

Browser emulation: Using headless browsers and fingerprint spoofing to make automated requests appear to come from real browsers.

CAPTCHA solving: Using human-powered CAPTCHA solving services or AI-based solvers to bypass CAPTCHA challenges on login pages.

For a company like Roku with 80 million active accounts, distinguishing between legitimate login attempts and credential stuffing attempts is genuinely difficult. Legitimate users forget passwords, type them incorrectly, and log in from new devices and locations. The behavioral patterns of credential stuffing overlap significantly with normal user activity.

Account Takeover Economy

Compromised streaming service accounts are a commodity in the underground economy. Stolen Roku, Netflix, Hulu, and Disney+ accounts are sold on dark web forums and Telegram channels for a fraction of their subscription cost. Buyers get access to the streaming service; sellers monetize the compromised credentials.

The economy works like this:

1. Credential stuffing yields thousands of compromised accounts
2. Accounts are verified as active and checked for stored payment methods
3. Accounts with stored payment are sold at a premium or used for direct fraud
4. Accounts without stored payment are sold in bulk for pennies
5. Buyers change the password and use the account until the legitimate owner recovers it

For the fewer than 400 Roku accounts where purchases were made, the attackers likely identified these as high-value accounts with stored payment methods and exploited them directly rather than reselling them.

Defensive Recommendations

The Roku incident underscores several defensive measures that both organizations and users should implement:

For organizations:

• Deploy mandatory MFA, not optional MFA that users can ignore
• Implement robust bot detection and rate limiting on login endpoints
• Monitor for anomalous login patterns including velocity, geographic impossibility, and known proxy networks
• Check user passwords against known breach databases using services like Have I Been Pwned's Pwned Passwords API
• Tokenize stored payment methods so compromised accounts cannot be used for direct purchases

For users:

• Use unique passwords for every service, managed through a password manager
• Enable MFA on every account that supports it
• Monitor accounts for unauthorized activity and unfamiliar login notifications
• Consider removing stored payment methods from services where they are not frequently used

How Safeguard.sh Helps

Credential stuffing attacks exploit the intersection of password reuse and application security. Safeguard.sh helps organizations secure the authentication layer of their software supply chain:

• Software component analysis evaluates the authentication libraries and frameworks in your applications, identifying known vulnerabilities in login systems, session management, and credential storage.
• Security configuration monitoring verifies that your applications enforce security best practices including MFA requirements, rate limiting, and bot detection mechanisms.
• Continuous vulnerability tracking alerts you when new vulnerabilities are discovered in authentication-related components in your software stack.
• Policy gates enforce security standards for authentication and access control across your software supply chain, ensuring that every application meets minimum security requirements.

576,000 accounts compromised, not through a vulnerability, but through password reuse. Safeguard.sh helps you build applications that are resilient even when users make predictable mistakes.