Second Roku credential stuffing incident of 2024 (first: ~15,000 accounts in March). Attackers used username/password pairs from prior unrelated breaches to authenticate against Roku accounts. 576,000 accounts compromised. In fewer than 400 cases, attackers used stored payment methods to purchase streaming subscriptions and Roku hardware. Full credit card numbers not accessible. Roku enabled mandatory two-factor authentication for all 80 million user accounts in response. Roku stated its systems were not breached — credentials came from third-party data.