On the morning of Friday, February 3, 2017, the Toys “R” Us IT security team identified an attempt to gain unauthorized access to the Reward “R” Us accounts between the time period of November 11, 2016 and January 17, 2017. Below you can find further information from the IT security on what happened, what information was involved, what the IT security team is doing and what you can do.
The vendor who manages our Rewards”R”Us loyalty program recently advised us of unauthorized attempts to access Rewards”R”Us loyalty member accounts. It appears this was an effort to fraudulently redeem Rewards coupons beginning in November. We expect this activity is related to previously reported online breaches, not affiliated with Toys”R”Us, where thieves stole login names and passwords. This may be because the thieves know that users tend to have the same password across multiple accounts.
What Information Was Involved?
Account information may include the loyalty members’ name, email addresses, mailing address and phone number(s). If you have a Geoffrey’s Birthday Club account and it is linked to your Rewards”R”Us Account, then information in this account may have been accessed as well. Please be assured that the Rewards”R”Us profiles and vendor database do not contain credit card numbers, payment or other sensitive personal information, such as Social Security numbers.
What We Are Doing.
We do not believe your account was accessed during this time frame and have no reason to believe that your password was compromised. However, out of an abundance of caution, we are encouraging all of our loyalty members to reset their passwords. (Details on how to reset your password are below.) We are also working with our vendor to ensure additional security measures are implemented to help prevent future unauthorized activity.
What You Can Do.
Internet security experts recommend using different passwords for each account and electing passwords that are hard to guess. In addition, we will never ask you for personal or account information in an email, so you should not respond if you receive unsolicited emails that ask for that information.
Although if your account may not have been compromised (if you have one) it would still be in your best interest to reset your password and to make it unique. Always to be better safe than sorry.
If you have any questions on security or best practices of any kind, don’t hestitate to reach out to our team for guidance!