02:37 PM EDT, 04/12/2024 (MT Newswires) -- Roku ( ROKU ) announced Friday that an additional 576,000 streaming account login credentials were stolen in a breach, adding to the 15,000 accounts that were impacted in another incident earlier this year.

The streaming device maker reset passwords for all affected accounts and is notifying those users directly about the incident. Shares of Roku ( ROKU ) fell 2.7% in afternoon trade.

Unauthorized actors used a method known as credential stuffing, which is a type of automated cyberattack where fraudsters use stolen usernames and passwords from one platform to gain access to accounts on other platforms, according to the company.

"There is no indication that Roku ( ROKU ) was the source of the account credentials used in these attacks or that Roku's ( ROKU ) systems were compromised in either incident," the company said. "Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials."

Roku ( ROKU ) notified 15,000 customers impacted by the first incident in early March and identified a second incident impacting the additional 576,000 accounts. In total, Roku ( ROKU ) has 80 million active accounts, calling the percentage affected by the breach "a small fraction."

In less than 400 cases, unauthorized purchases of streaming service subscriptions and Roku ( ROKU ) hardware products were made using the account's stored payment method. Roku ( ROKU ) said it is refunding or reversing charges, adding that full credit card information and other sensitive user details were not accessed.

The company is implementing a number of controls to detect and deter future credential stuffing incidents, including enabling two-factor authentication for all Roku ( ROKU ) accounts.

Price: 60.30, Change: -1.65, Percent Change: -2.66