Toys ‘R’ Us Says Rewards Accounts Being Attacked Using Data Stolen Elsewhere

Image courtesy of Nicholas DiMaio

Here’s another example of why you should take experts’ advice when they say not to use the same password on multiple sites: Hackers have been apparently been attempting to breach accounts of Toys ‘R’ Us rewards program members using data they got from other hacks.

CBS affiliate KDKA in Pittsburgh reports that Rewards ‘R’ Us members have been receiving messages from Toys ‘R’ Us saying that between November and January, there were “unauthorized attempts to access Rewards ‘R’ Us loyalty member accounts.”

But those attempts didn’t come from a breach at Toys ‘R’ Us — at least not according to the retailer, which claim its computers were not hacked. Instead, the company believes that the information has come from previous breaches where thieves yanked lists of user names and passwords. (Goodness knows we’ve had enough of those in recent years.)

If your username and password for one site get stolen, it’s easy enough to go change that one password. But if you use the same set of login information across many sites, you’ve suddenly got a much bigger problem.

Many sites ask customers to use an email address as a login. So if a would-be thief has a long list of email address/password pairs, they can start flinging it at basically any website to see which ones go “click” and let them in.

“The vendor responsible for our loyalty program made us aware of unauthorized attempts to access our Rewards member accounts,” Toys ‘R’ Us confirmed to Consumerist in a statement.

“This appears to be related to earlier online breaches of websites not associated with Toys ‘R’ Us, Rewards ‘R’ Us or our vendor. … While Rewards ‘R’ Us members’ names and addresses may have been compromised, it’s important to know that credit card, banking and payment information are not in this vendor database and were not accessed in this incident,” Toys ‘R’ Us continued.

“As a precaution, we have reached out to our loyalty program members to encourage them to update their account passwords and to remedy any problems that may have arisen as a result of this incident. We are also working with our vendor to ensure they implement additional security protocols to prevent future threats.”

In the meantime, if you have a Toys ‘R’ Us rewards account and are concerned, you can go change your password… and maybe change some on other sites too while you’re at it.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.