It seems not even plushies are safe anymore
Now this is something that could have gone in the Internet of Shit thread...
Whether the data breach qualified for requiring notification is a question for the lawyers to debate, but on its face I don't think so.
The passwords were not encrypted; they were hashed, and the law doesn't cover hashed data. What's more, encrypted data is only included under the scope when there is reason to suspect that the encryption key might have also been stolen. Since there is no key for hashed data, it can't meet this condition.
The personal information definition requires that both a username and a secret verification factor -- password, security question and answer -- must be stolen, which, together, are sufficient to grant a malicious actor access to the user's account. The data that was stolen consisted of user names in the clear, but the passwords were hashed, and using a presumably secure method.
The only plausible reason that it might have required notification was after they'd been informed that many of the accounts had insecure passwords which could be easily cracked from the hashes in the leaked databases. At that point they had reasonable evidence that both usernames and passwords to at least some of the accounts were available to malicious actors. But the law doesn't appear to require them to automatically assume that securely-hashed passwords would be cracked if they're part of the data leak.