Roku, the creator ofaffordable streaming set-top boxesand the ad-supportedRoku Channel, disclosed that 15,363 customer accounts have been breached, sometime between Jul 03, 2025 and Aug 09, 2025, asfirst reported by Bleeping Computer, and detailed in filings to the State Attorney Generals ofCaliforniaandMaine.
According to Roku, the account information was accessed via a third-party service not affiliated with Roku, as in account log-in information scraped from another hack or breach that happened to also work as a Roku login. This didn’t give the hackers access to highly sensitive information like social security numbers or credit card numbers, but in a limited number of cases, did allow them to purchase subscriptions to streaming services like Max or Peacock.
Bleeping Computer identifies the method the hackers used as a “credential stuffing attack” in which “threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites.” Once they were in, the hackers were able to change the password of affected accounts and then used them as they pleased.
The added wrinkle, according to Bleeping Computer, is that they are also attempting to sell the stolen information on a stolen account marketplace for as little as 50 cents. Roku has alerted anyone who has an affected account via mail (the notification letter isavailable here), reset the passwords of affected accounts, and is beginning to refund unauthorized purchases. Whether you know your Roku account has been accessed without your knowledge or not, it’s not a bad idea to look for any unusual Roku transactions and change your password now.
Roku OS 12 update: What’s coming to your Roku device next?
Roku is rolling out a new version of its operating system to Roku devices around the globe. Here’s what it adds.
How to reset your Roku password
It only takes a few minutes and is worth the effort
Resetting your Roku account password works about the same as any other online account, just ensure you have your email handy.
How to find out if your account has been compromised
Companies in the US are legally required to notify customers if their personal information has been compromised, so in most cases you’ll receive an email or letter notifying you if there’s an issue. Roku has reportedly already notified those impacted by the breach, so check your email or watch for a letter in the mail. However, there are better ways to stay on top of breaches.
While fixing these kinds of issues is a bit of a headache, and it feels unfair that the duty of keeping things secure falls primarily on the customer, it’s the reality of the world we live in. Using a password manager, creating distinct passwords for all of your accounts, and deploying other security best practices can help keep your accounts safe going forward, regardless of how companies mess up.
