A successful credential stuffing attack that yields 500k valid credentials is undoubtedly enabled by a login endpoint that isn’t protected by a rate limiting and abuse detecting firewall. Or am I wrong?
Not wrong. Laziness just like 23andme. Didn't move to 2FA until after the attack.
> As a part of our ongoing commitment to information security, we have enabled two-factor authentication (2FA) for all Roku accounts, even for those that have not been impacted by these recent incidents. As a result, the next time you attempt to log in to your Roku account online, a verification link will be sent to the email address associated with your account, and you will need to click the link in the email before you can access the account.
> We understand that 2FA adds an extra step to the login process. That’s why we’ve worked hard to make it as simple as possible. If you need assistance, please visit How to sign in with two-step verification on our Customer Support site for more information.
