Thanks, Dan. I understand your explanation. The hackers stole credentials from a different site, not from Roku. Only the credentials that were identical between that site and Roku became vulnerable to this credential stuffing attack.

I'm grateful to learn from you that Roku sent email yesterday to notify impacted users, implemented 2FA to keep our accounts safer, and refunded unauthorized charges.

HOW TO GEEK  is along time email subscription who is reporting:

"Roku will enforce mandatory two-factor authentication (2FA) on all accounts following security breaches that affected approximately 591,000 user accounts earlier this year. The breaches, apparently occurred in two separate incidents, with the first impacting 15,363 accounts and prompting closer monitoring of account activity in March. The company then discovered a much bigger breach affecting about 576,000 accounts. Less than 1% of all Roku accounts were affected by the breach, but due to the massive scale of Roku's installation base, that's still a lot of people. "

THEYRE ADVISING ALL ROKU ACCONTS TO CHANGE PW IMMED.

@RICKART all true, but missing one critical detail. The breaches did not happen on Roku servers. The breaches occurred on other sites, which did provide the thieves with stolen login credentials to that specific site. The issue is people often use the same user credentials on different sites, and that's what happened at Roku. The credentials stolen from other sites would work on the Roku site. Roku themselves did not lose any personal information, such as complete credit card info. By implementing 2FA, even if they have the correct credentials they cannot successfully log into the Roku account since they would also have to have access to the stolen email account as well. 

This is really bad practice, the very first thing you do is email customers and explain why you are doing a forced password reset.

I love it how companies try to say only X accounts were affected when the reality is they probably have no idea what hackers were able to obtain.

I do feel that it is irresponsible for users to use the same password on two sites where there is a potential for a financial loss, but there seems to me more to this story.

The only way to protect your data is not to provide it in the first place.  I did not provide my credit card information and based on some of the things I have found out about Roku snooping on my usage it is clear I made the right decision.  On other sites I try to trade at arms length, for example with Apple I removed my card details and only use Apple Gift cards that I buy in supermarket on online from 3rd parties.   

I do not use the same credentials with Amazon Echo and Ring devices, none of them are given my true location although I am well aware that Amazon can determine this from neighbours via their mesh network so have taken steps to prevent that.

I don't let any organisation use my wifi and my ISP uses random IP's from their network of data centres, I have my router shut off for an hour overnight to ensure a new one each day.  I used different browsers for different purposes, nothing secure is used on the browser I am using to access this website.  

I do not even provide the same email address to two different organisations never mind the same password, I generate new passwords for every site.  So no crumbs and any security issues only affect the single company.  

Sadly these and other steps are necessary in these days of hackers and sloppy corporations. I suspect that the haveibeenpwned website will be updated with this alleged hack in due course.  That was where I found out my accounts details at Amazon and eBay had been stolen.  I do not store CC information with either nor allow paypal charges without TFA on a separate dedicated phone.

We have to take some responsibility to protect our data, such as not providing it unless absolutely necessary, but still I would have liked it if Roku had informed me.