Roku is notifying users of a new data breach, this one impacting some 576,000 users, on top of the 15,000 users impacted by a breach earlier in 2024.

According to Roku, bad actors used a method called “credential stuffing” in both attacks, a method that uses “stolen usernames and passwords from one platform and attempt to log in to accounts on other platforms.” The method is often successful because many individuals reuse their usernames and passwords across various services and platforms.

Roku says it discovered the larger breach while investigating the initial one impacting 15,000 customers. The company maintains that there is no evidence its own data was breached.

There is no indication that Roku was the source of the account credentials used in these attacks or that Roku’s systems were compromised in either incident. Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials. In less than 400 cases, malicious actors logged in and made unauthorized purchases of streaming service subscriptions and Roku hardware products using the payment method stored in these accounts, but they did not gain access to any sensitive information, including full credit card numbers or other full payment information.

Roku says the vast majority of its 80 million users are not impacted. As a result, the company has reset passwords for the affected accounts, and is notifying customers. The company has also enabled two-factor authentication (2FA) for all accounts, including those not impacted.

Rokus’s breaches emphasize the value of a good security practices, including using different passwords for various services. As data breaches become more common, it’s all too easy for bad actors to automatically use stolen credentials on hundreds, or even thousands, of services where those credentials may be duplicated.