US streaming giant Roku has disclosed a data breach impacting more than 15,000 customers, leading to fraudulent transactions and unauthorized access to accounts. The breach, identified as a credential-stuffing attack, targeted credentials compromised in previous data breaches of third-party services.

According to Roku's official data breach notice, cybercriminals exploited login and password combinations leaked from unrelated third-party breaches to hijack Roku accounts. With some users employing same credentials across multiple platforms, threat actors managed to gain access to Roku accounts and change login information, and, in some cases, attempted to buy streaming subscriptions.

This breach left thousands of users locked out of their accounts, allowing hackers to exploit stored credit card information to make illicit purchases, all while users received confirmation emails for orders they did not authorize.

Upon discovering the breach in January 2024, Roku took action to secure affected accounts and enforced a mandatory password reset. The company said it conducted a thorough investigation to identify unauthorized purchases, cancel fraudulent subscriptions, and issue refunds to affected users.

The streaming platform assured users that the breach did not compromise sensitive personal data such as social security numbers, full payment account details, or dates of birth. Nevertheless, subscribers have been urged to review their account activity and memberships via the Roku dashboard to ensure the legitimacy of their accounts.