Roku is now making its users enable two-factor authentication (2FA), after it suffered two sizeable security breaches recently.
In the both incidents, customer data was leaked: first in March, when 15,000 accounts were found for sale on the dark web, which could have allowed those with access to them to purchase subscriptions with the stored payment details within.
Then, earlier in April 2024, Roku suffered another cyberattack which affected over half a million users. Accounts were attacked using the credential-stuffing method, where hackers try to brute force accounts using credentials obtained in other breaches, hoping users have reused the same username and passwords for their Roku accounts.
Extra protection
Users affected by the latter incident were made to change their Roku account passwords. But now, the streaming service is making two-factor authentication mandatory for all users. The change is already taking place, with users being notified via email to set it up.
2FA typically involves having to input a time-sensitive code – also known as a Time-based One-time Password (TOTP) – after logging in with your username and password. It adds an extra layer of security, to ensure that it is really the user, and not a hacker, who is trying to access your account.
The TOTP is usually sent to your mobile device, either via an SMS text or using a dedicated authenticator app. These generate a series of codes which constantly refresh for each account that has 2FA enabled. The code must be inputted on the login page in question before it changes to a new code.
For organizations that want to increase security even further, physical security keys can be used instead, which perform the same task, but minimize the risk of being hacked over using a smartphone to generate codes.
Despite the extra protection, 2FA (and also Multi-Factor Authentication (MFA)) is not invulnerable. For instance, SMS is thought to be the least secure delivery method for 2FA codes, since phone numbers can be cloned by cybercriminals in SIM-swapping scams, allowing them to read all the messages you receive.
Cybercriminals can also bombard users with so-called MFA fatigue attacks, where users are prompted to authenticate an illegitimate login attempt, which they accept just to make the notifications stop. These attacks rely on authentication methods that simply ask the user to confirm or deny a login attempt, without needing to input a code.
There have also been reports of hackers stealing session cookies that have already been authenticated by users with MFA, meaning they don’t even need to have access to the codes to break into an account.