DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Rewards “R” Us members notified of forced password reset

Posted on February 2, 2017 by Dissent

Toys “R” Us has been notifying members of their Rewards “R” Us program after they obtained evidence of attempts to gain unauthorized access to some accounts. A spokesperson for the retailer tells DataBreaches.net:

The vendor responsible for our loyalty program made us aware of unauthorized attempts to access our Rewards member accounts. This appears to be related to earlier online breaches of websites not associated with Toys”R”Us, Rewards”R”Us or our vendor. Online user names and passwords stolen during those breaches were then used to attempt to access other online accounts, including Rewards”R”Us account information in an attempt to defraud customers of their rewards coupons. While Rewards”R”Us members’ names and addresses may have been compromised, it’s important to know that credit card, banking and payment information are not in this vendor database and were not accessed in this incident. As a precaution, we have reached out to our loyalty program members to encourage them to update their account passwords and to remedy any problems that may have arisen as a result of this incident. We are also working with our vendor to ensure they implement additional security protocols to prevent future threats.

The full text of their notification email, sent to this site by a consumer who was trying to verify its authenticity:

We are writing to notify you that the Toys”R”Us IT security team identified an attempt to gain unauthorized access to Rewards”R”Us accounts and thus redeem some members’ Reward coupons between November 11, 2016 and January 17, 2017. Below is information we wanted to share to help protect you against potential misuse of your information.

What Happened?
The vendor who manages our Rewards”R”Us loyalty program recently advised us of unauthorized attempts to access Rewards”R”Us loyalty member accounts. It appears this was an effort to fraudulently redeem Rewards coupons beginning in November. We expect this activity is related to previously reported online breaches, not affiliated with Toys”R”Us, where thieves stole login names and passwords. This may be because the thieves know that users tend to have the same password across multiple accounts.

What Information Was Involved?
Account information may include the loyalty members’ name, email addresses, mailing address and phone number(s). If you have a Geoffrey’s Birthday Club account and it is linked to your Rewards”R”Us account, then information in this account, such as your child’s name and birth date, may have been accessed as well. Please be assured that the Rewards”R”Us profiles and vendor database do not contain credit card numbers, payment or other sensitive personal information, such as Social Security numbers.

What We Are Doing.
Out of an abundance of caution, we have gone ahead and reset your password. (Details on how to reset your password are below.) We are also working with our vendor to ensure additional security measures are implemented to help prevent future unauthorized activity. We have reinstated any points associated with your account during the corresponding timeframe to help minimize any customer inconvenience. The newly issued Rewards will be emailed to members within 10 business days and can be accessed via the Rewards”R”Us website on or around 2/8/17.

What You Can Do.
Internet security experts recommend using different passwords for each account and electing passwords that are hard to guess. In addition, we will never ask you for personal or account information in an email, so you should not respond if you receive unsolicited emails that ask for that information.

How to reset your Rewards”R”Us password:
1. Visit Forgot Password section of the Rewards”R”Us website here
https://rewardsrus.toysrus.com/index.cfm/login#forgotPassword
2. Enter your Membership # and the Email address associated with your account
and click “Submit”. If you lost or forgot your Membership #, click on “Forgot
Membership #”. For help, you may also contact us at 1-800-TOYSRUS.
3. Answer the security question and create your new password. We recommend a
complex password that includes a mix of letters, numbers and symbols.
 Do
not reuse a password you have used before or at other sites.

4. A pop-up window will appear upon a successful password change.
5. Login to your account using your Membership # or email address and new
password.

For More Information
We apologize for any inconvenience. If you have any questions, contact us at
1-800-TOYSRUS.

No related posts.

Category: Breach IncidentsBusiness SectorHack

Post navigation

← Victims of W-2 phishing scams (2017 list)
Ca: Victim of arson spree questions ICBC’s handling of privacy breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.