Roku Inc.

The Maine Office of the Attorney General disclosed a data breach affecting Roku Inc. between December 28, 2023, and February 21, 2024. Unauthorized actors accessed approximately 15,363 user accounts by exploiting credentials likely obtained from third-party sources (e.g., credential stuffing attacks). While the exact types of compromised data were not detailed, the incident confirmed that no highly sensitive information—such as Social Security numbers—was exposed. The breach highlights vulnerabilities in account security, particularly where users reuse passwords across platforms. Roku responded by notifying affected individuals and advising password resets, though the long-term reputational and operational impacts remain limited. The attack did not involve ransomware, direct financial fraud, or systemic disruptions to Roku’s services, but it underscores risks associated with credential-based intrusions and the importance of multi-factor authentication (MFA).

Source: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e9cc298b-379b-47ba-a10d-e2263963b574.shtml

TPRM report: https://www.rankiteo.com/company/roku

"id": "rok029090625",
"linkid": "roku",
"type": "Breach",
"date": "12/2023",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"

{'affected_entities': [{'customers_affected': '15,363',
                        'industry': 'Consumer Electronics / Streaming Services',
                        'location': 'United States',
                        'name': 'Roku Inc.',
                        'type': 'Corporation'}],
 'attack_vector': 'Compromised Credentials (Third-Party Sources)',
 'data_breach': {'number_of_records_exposed': '15,363',
                 'personally_identifiable_information': 'No (SSN not accessed)',
                 'sensitivity_of_data': 'Moderate (Non-SSN)',
                 'type_of_data_compromised': ['User Account Information']},
 'date_detected': '2024-02-21',
 'date_publicly_disclosed': '2024-03-08',
 'description': 'The Maine Office of the Attorney General reported a data '
                'breach involving Roku Inc. The breach occurred between '
                'December 28, 2023, and February 21, 2024, where unauthorized '
                'individuals accessed approximately 15,363 user accounts using '
                'credentials obtained from third-party sources. Sensitive '
                'personal information such as social security numbers was not '
                'accessed.',
 'impact': {'data_compromised': ['User Account Information (Non-SSN)']},
 'initial_access_broker': {'entry_point': 'Third-Party Credential Sources'},
 'references': [{'date_accessed': '2024-03-08',
                 'source': 'Maine Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': ['Maine Office of the '
                                                        'Attorney General']},
 'threat_actor': 'Unauthorized Individuals',
 'title': 'Roku Inc. Data Breach (2023-2024)',
 'type': 'Data Breach (Credential Stuffing)'}

Roku Inc.

Tangoe US Inc.: Tangoe Data Breach Class Action Settlement

MetroWest Community Federal Credit Union, Lynch Carpenter and LLP: MetroWest Community Federal Credit Union Data Breach Claims Investigated by Lynch Carpenter

CGI Sverige: Sweden probes reported leak of e-government platform source code