Roku said that after investigating a security breach that was reported in early March, it detected a second, larger intrusion that involved around 576,000 accounts.
The streaming company released a statement on the matter Friday.
Once again, the security breach involved "credential stuffing," whereby hackers who have already stolen user names and passwords knock on the door of Roku accounts, hoping users abide by the bad habit of using the same credentials for multiple services.
"There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident," Roku said in its Friday statement. "Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials. In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information."
In addition to resetting passwords for affected users, Roku said it will now adopt two-factor authentication.