The technology company, based in San Jose, California, said that it discovered the problem after monitoring unusual account activity on its platform earlier this year that affected roughly 15,000 user accounts.
Through its investigation, Roku said that the malicious actors stole the login credentials through a different source and applied a practice called “credential stuffing,” applying stolen usernames and passwords across multiple platforms to take advantage of people who use the same credentials across multiple services.
“We concluded at the time that no data security compromise occurred within our systems, and that Roku was not the source of the account credentials used in these attacks,” Roku said in a statement.for all of its 80 million account holders. Roku reset passwords for the affected accounts and reversed or refunded the unauthorized charges made by the malicious actors, the firm said.