Toys “R” Us has been notifying members of their Rewards “R” Us program after they obtained evidence of attempts to gain unauthorized access to some accounts. A spokesperson for the retailer tells DataBreaches.net:
The vendor responsible for our loyalty program made us aware of unauthorized attempts to access our Rewards member accounts. This appears to be related to earlier online breaches of websites not associated with Toys”R”Us, Rewards”R”Us or our vendor. Online user names and passwords stolen during those breaches were then used to attempt to access other online accounts, including Rewards”R”Us account information in an attempt to defraud customers of their rewards coupons. While Rewards”R”Us members’ names and addresses may have been compromised, it’s important to know that credit card, banking and payment information are not in this vendor database and were not accessed in this incident. As a precaution, we have reached out to our loyalty program members to encourage them to update their account passwords and to remedy any problems that may have arisen as a result of this incident. We are also working with our vendor to ensure they implement additional security protocols to prevent future threats.
The full text of their notification email, sent to this site by a consumer who was trying to verify its authenticity:
We are writing to notify you that the Toys”R”Us IT security team identified an attempt to gain unauthorized access to Rewards”R”Us accounts and thus redeem some members’ Reward coupons between November 11, 2016 and January 17, 2017. Below is information we wanted to share to help protect you against potential misuse of your information.
What Happened?
The vendor who manages our Rewards”R”Us loyalty program recently advised us of unauthorized attempts to access Rewards”R”Us loyalty member accounts. It appears this was an effort to fraudulently redeem Rewards coupons beginning in November. We expect this activity is related to previously reported online breaches, not affiliated with Toys”R”Us, where thieves stole login names and passwords. This may be because the thieves know that users tend to have the same password across multiple accounts.What Information Was Involved?
Account information may include the loyalty members’ name, email addresses, mailing address and phone number(s). If you have a Geoffrey’s Birthday Club account and it is linked to your Rewards”R”Us account, then information in this account, such as your child’s name and birth date, may have been accessed as well. Please be assured that the Rewards”R”Us profiles and vendor database do not contain credit card numbers, payment or other sensitive personal information, such as Social Security numbers.What We Are Doing.
Out of an abundance of caution, we have gone ahead and reset your password. (Details on how to reset your password are below.) We are also working with our vendor to ensure additional security measures are implemented to help prevent future unauthorized activity. We have reinstated any points associated with your account during the corresponding timeframe to help minimize any customer inconvenience. The newly issued Rewards will be emailed to members within 10 business days and can be accessed via the Rewards”R”Us website on or around 2/8/17.What You Can Do.
Internet security experts recommend using different passwords for each account and electing passwords that are hard to guess. In addition, we will never ask you for personal or account information in an email, so you should not respond if you receive unsolicited emails that ask for that information.How to reset your Rewards”R”Us password:
1. Visit Forgot Password section of the Rewards”R”Us website here
https://rewardsrus.toysrus.com/index.cfm/login#forgotPassword
2. Enter your Membership # and the Email address associated with your account
and click “Submit”. If you lost or forgot your Membership #, click on “Forgot
Membership #”. For help, you may also contact us at 1-800-TOYSRUS.
3. Answer the security question and create your new password. We recommend a
complex password that includes a mix of letters, numbers and symbols. Do
not reuse a password you have used before or at other sites.
4. A pop-up window will appear upon a successful password change.
5. Login to your account using your Membership # or email address and new
password.For More Information
We apologize for any inconvenience. If you have any questions, contact us at
1-800-TOYSRUS.