Toys“R”Us resets user passwords following third-party attempts to gain access

Amid the seemingly endless roar of news stories about hacked companies losing data through poor security, it’s heartening to hear of a company quietly getting it right.

Toys”R”Us has encouraged members of its Rewards”R”Us program to reset their passwords following “unauthorized attempts to access our Rewards member accounts” using stolen credentials obtained from data breaches affecting other, unrelated, sites.

According to, a Toys”R”Us spokesperson said this “appears to be related to earlier online breaches of websites not associated with Toys”R”Us, Rewards”R”Us or our [loyalty program] vendor. Online user names and passwords stolen during those breaches were then used to attempt to access other online accounts, including Rewards”R”Us account information in an attempt to defraud customers of their rewards coupons. […] As a precaution, we have reached out to our loyalty program members to encourage them to update their account passwords and to remedy any problems that may have arisen as a result of this incident.”

This isn’t the first time Toys”R”Us has taken action to protect its Rewards”R”Us members from security problems arising from password reuse.

In March 2015, it noticed that criminals had made several attempts to hack customer accounts using credentials gained from another compromised site, and took the precaution of initiating a hard password reset.

In an email to its customers at the time, the toy retailer said:

‘Toys“R”Us has many layers of account security in place to keep your Rewards“R”Us account balance and other profile information safe. Recently, because of mechanisms in place to alert us to potential efforts to overcome that security, we identified an attempt to gain unauthorized access to a small percentage of Rewards“R”Us accounts from 1/28/15 – 1/30/15. We suspect this activity was due to large breaches at other companies (not Toys“R”Us), where user login names and passwords were stolen and then used for unauthorized access to other accounts, such as Rewards“R”Us accounts where a user may use the same login name and/or password. It appears that your Rewards“R”Us account may have been accessed during this time frame by individuals who may have obtained your account password from another source or successfully guessed it. Out of an abundance of caution, we are therefore treating your account password as compromised and taking appropriate steps to address that situation.’

The password problem

Passwords are difficult things. You need to make them so complicated that cracking tools can’t easily break them and you need to use different ones for every site you use: after all, it’s no good having one really strong password that you use everywhere because if it’s stolen, all of your accounts are potentially compromised.

You also need to remember them all, and this is where the problem inevitably lies. Human memory is fallible, so:

  • People use simple passwords.
  • People reuse their passwords.

In 2016, the US suffered the greatest number of data breaches in the world, accounting for 47.5% of all incidents. And all of those stolen records inevitably have a knock-on effect. As Microsoft’s Security Intelligence Report (SIR), Volume 17 put it: “What makes stolen account credentials so valuable to cybercriminals is the extent to which users reuse their account names and passwords across different sites and services”.

Once they’ve gained a set of records, criminals will automate attacks using the stolen username/password combinations to see what else they can gain access to. Password reuse is rife, so the statistical chances of their gaining access to multiple sites with a single set of stolen credentials are high.

A strong password needn’t be overcomplicated. A seven-character alphanumeric password (using uppercase and lowercase letters as well as numbers) has over three trillion combinations. Assuming an attacker’s password cracking tool can make 1,000 attempts per second, it would take the average attacker decades to crack. Avoid words listed in a dictionary, and add in special characters, and the strength of your password increases dramatically.

Password security for business

It’s not just individuals who are at risk when they reuse passwords: their employers are as well. Enterprises that want to protect their critical information assets should ensure their staff use strong and unique passwords. The best way to do this is to look to the international standard for information security management, ISO 27001. An ISO 27001-compliant ISMS (information security management system) provides a holistic approach to information security that addresses people, processes and technology, protecting against human error as much as automated cyber attacks on software vulnerabilities.

Find out more about ISO 27001 >>



  1. Paco Hope March 6, 2015
    • Neil Ford March 6, 2015