Streaming channels
Tips
Roku tipsCord cutting
What to watch
New to watchFree to watchStreaming live
Company
Product newsCorporate newsIndustry LeadershipEngineeringAdvertising
  1. Company > 
  2. Corporate News

Protecting your Roku account

Picture of Roku StaffRoku Staff - April 12, 2024

We take your privacy and security seriously, and as part of our commitment to these values, we’d like to share information about our investigations into recent incidents that have impacted some of our user accounts, the steps we’ve taken to notify affected customers, and our efforts to protect customers from future attacks. 

What happened 

Earlier this year, Roku’s security monitoring systems detected an increase in unusual account activity. After a thorough investigation, we determined that unauthorized actors had accessed about 15,000 Roku user accounts using login credentials (i.e. usernames and passwords) stolen from another source unrelated to Roku through a method known as “credential stuffing.” 

Credential stuffing is a type of automated cyberattack where fraudsters use stolen usernames and passwords from one platform and attempt to log in to accounts on other platforms. This method exploits the practice of individuals reusing the same login credentials across multiple services. We concluded at the time that no data security compromise occurred within our systems, and that Roku was not the source of the account credentials used in these attacks.  

After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information. Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts. 

There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident. Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials. In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information. 

What we’re doing 

While the overall number of affected accounts represents a small fraction of Roku’s more than 80M active accounts, we are implementing a number of controls and countermeasures to detect and deter future credential stuffing incidents. 

First, we have reset the passwords for all affected accounts and are notifying those customers directly about this incident. We also are refunding or reversing charges for the small number of accounts where we’ve determined that unauthorized actors made purchases of streaming service subscriptions or Roku hardware products using a payment method stored in these accounts. We also want to reassure customers that these malicious actors were not able to access sensitive user information or full credit card information. 

As a part of our ongoing commitment to information security, we have enabled two-factor authentication (2FA) for all Roku accounts, even for those that have not been impacted by these recent incidents. As a result, the next time you attempt to log in to your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access the account. 

We understand that 2FA adds an extra step to the login process. That’s why we’ve worked hard to make it as simple as possible. If you need assistance, please visit How to sign in with two-step verification on our Customer Support site for more information. 

How you can help protect your account 

We are committed to maintaining the privacy and security of your Roku account. We also believe in empowering our users with information and tools to help safeguard their accounts: 

  • Create a strong, unique password for your Roku account. This makes it harder for someone to gain unauthorized access to your account. Use a mix of at least eight characters, including numbers, symbols, and lowercase and upper-case letters. Find more tips here: How to create a strong and secure password for your Roku account. 
  • Remain vigilant. Please be alert to any suspicious communications appearing to come from Roku, such as requests to update your payment details, share your username or password, or click on suspicious links. When in doubt over the authenticity of a communication, contact Roku Customer Support.  
  • Stay informed. In addition to blog posts and Support pages on Roku, be sure to check your email for communications from Roku and periodically log in to your Roku account to review your account charges.  

Additional recommendations can be found here: How to keep your Roku account secure. 

In closing, we sincerely regret that these incidents occurred and any disruption they may have caused. Your account security is a top priority, and we are committed to protecting your Roku account. 

Tags: US

Related posts

Image of post for 1:bloganthony wood at ces
Roku CEO Anthony Wood speaks with Variety at CES (2026)
Image of post for 2:blogtrc googletv
Streaming The Roku Channel on Google TV just got easier
Image of post for 3:blogyear in review 2023
After 1.2 billion searches, here are Roku’s top-searched movies and TV series of the year
Image of post for productsroku tvroku made tvs?utm_source=blog&utm_medium=referral&utm_campaign=product_module
Shop Roku TV