(Reuters) – Streaming service provider Roku (NASDAQ:) said Friday it identified a second cyberattack that affected about 576,000 additional accounts as it investigated a breach that affected 15,000 user accounts earlier this year.
The company, which had more than 80 million active accounts, said the hackers did not gain access to any sensitive information such as full credit card numbers or other payment details.
Roku shares fell about 2% in early trading.
However, the company said it has identified fewer than 400 cases where information was used to make unauthorized purchases of streaming service subscriptions and hardware products using a payment method stored in accounts.
The company said it would refund or cancel payments for accounts it determined made unauthorized purchases as part of the attack.
Roku linked the unauthorized access to “credential stuffing,” where users could use the same credentials on different platforms.
Meanwhile, the company has enabled two-factor authentication for all accounts to strengthen security measures.