Company notifies customers, advises using unique passwords

Mar 2, 2015 08:03 GMT  ·  By

Users with accounts at Toys “R” Us are informed by the company that a hard password reset procedure has been initiated for their accounts as a result of attempts from a third party to gain unauthorized access.

The decision comes not because the toys retailer’s computer network has fallen victim to a cyber-attack, but because a different company was compromised and the cybercriminals used those credentials to log into Toys “R” Us accounts.

Recycling credentials is a known problem in the security industry, despite the fact that experts did not waste any opportunity to draw attention to the fact that cybercriminals test the stolen username and password databases on multiple services in order to increase their revenue stream.

Customers have to define a new password

In a letter notifying its customers of the decision, the company explains that illegal log-in attempts have been recorded for a number of Rewards “R” Us accounts for a brief period of time, between January 28 and January 30.

“Out of an abundance of caution, we are therefore treating your account password as compromised and taking appropriate steps to address that situation,” the company says.

Users with a Geoffrey's Birthday Club account that have it linked to Rewards “R” Us are also affected by the password reset.

Clear instructions to get a new password based on the registration email used before January 28 are provided in the communication to the affected individuals.

Lost rewards are reinstated

The company assures that no losses that may have occurred as a result of this incident are to be incurred by its customers.

As such, all the points corresponding to reward dollars that have been printed during the aforementioned time frame are to be reinstated, even if the action was carried out legitimately by the users.

Additionally, Endless Earnings gift cards that were used between January 28-30 have been deactivated and new ones will be issued, with the amount available as of January 27.

The company offers a set of best practices to ensure that customers rely on strong protection for their accounts; mixing letters, numbers and symbols in the password is at the top of the recommendations, followed by the advice to use a unique string for each online account.