Modern strong authentication mechanisms used in or as multi-factor or two-factor authentication (MFA, 2FA) include Passkeys (a.k.a. WebAuthn), Tokens (e.g. YubiKey), and Time-based One Time Password (TOTP, a.k.a. your "authenticator app"). These are well supported by popular password managers and other tools.

Less robust second factor authentication methods include sending codes by email or SMS [Strongly discouraged].

For sites and services which only use weak password authentication, breaches provide access to accounts for anyone with access to the breach data. The best resource for information on breaches and checking your email (or domain) is Troy Hunt's Have I Been Pwned (HIBP).

I for one am flabbergasted as to why ROKU DOES NOT UTILIZE MFA/2FA etc to secure accounts!  It is inexcusable and should be implemented.  Now, more than ever.  if you are concerned with end users not being able to log in with their TV, box etc, then enable what other sites do, a nice little link to join where you enter a predefined code on the TV to pair it once the user is logged in. 

SERIOUSLY ROKU!  Get with the program!!!! (No Pun intended)

https://community.roku.com/t5/Suggest-a-Feature/bd-p/Wishlist 

That's it, I'm reaching out to "my contact" to see what options I have.

I am livid for being this violated.  I advise all of you to do the same to see what our options are.  Do NOT listen to armchair people here, they are not "your contact".  Only listen to your contact.

Roku is correct in saying that the new TOS is unrelated to the recent data breach HOWEVER, what I believe is subject to suspicioun is the timing of the "forced" acceptance of the new TOS days before the official disclosure of the data breach:

  2023: Roku completes new TOS 

  January 2024: Breach discovered

  March 5: Forced acceptance of new TOS

  March 8: disclosure of data breach

It's not so much the new TOS (all companies update their TOS to their benefit) but rather the forced acceptance mechanism days before the disclosure of the breach. I'm questioning whether this unexpected and unusual manner of coercion is indeed related to the disclosure, and that should be the query.

After the "second incident, which impacted approximately 576,000 additional accounts." reported in the forth paragraph of the disingenuously titled Protecting your Roku account, instead of adopting any of the common, reliable, well-supported and secure 2FA/MFA options, Roku has forced the inconvenient code-via-plaintext-email on all accounts with no option to disable it.

An alternative of the static "last 5 characters of the device ID" from any (presumably owned) Roku device is provided. While not comparable to a good modern authentication method, it does satisfy the something-you-know where that something is not widely known (such as a Social Security Number). Testing this, I found

1. Roku Ultra (4800 series):This device ID does not match our records.
2. Roku Ultra (4640 series) :This device ID does not match our records.
3. Roku Streaming Stick + (3810, 3811 series) : This device ID does not match our records.

I did not bother powering on the Roku Premiere+ (4630 series)  to test it. All these devices show up on my Dashboard.

The page offers, "Need help? Visit Roku customer support.", but instead of customer support, it's How to change your password or email for your Roku account.