Roku forcing 2-factor authentication after 2 breaches of 600K accounts

Roku disclosed two credential-stuffing incidents that collectively impacted about 591,000 customer accounts (approximately 15,000 in an initial incident and 576,000 discovered subsequently). Attackers accessed stored payment methods and made under 400 unauthorized purchases; Roku says full card numbers were not exposed and will require two-factor authentication to prevent future account takeovers.