Toys “R” Us Canada Data Breach Exposes Customer Information
▼ Summary
– Toys “R” Us Canada notified customers of a data breach after threat actors leaked stolen customer records from its systems.
– The breach was discovered on July 30, 2025, when a threat actor posted claimed customer data on the dark web, which was later confirmed as authentic.
– Leaked personal information includes full names, physical addresses, email addresses, and phone numbers, but not passwords or credit card details.
– The company has upgraded its IT security and is notifying Canadian privacy authorities in response to the incident.
– Customers are advised to be vigilant for phishing attempts and ignore unsolicited communications requesting personal information.
Toys “R” Us Canada has begun notifying customers about a significant data security incident after discovering that unauthorized individuals had accessed and distributed customer information from their systems. The breach came to light on July 30, 2025, when company officials identified a dark web posting containing what appeared to be legitimate customer records.
The company confirmed through an extensive investigation with cybersecurity specialists that the leaked data was authentic. In customer notifications, Toys “R” Us explained they became aware of the situation through “a posting on the unindexed internet” and immediately engaged external security professionals to contain the incident and conduct a thorough analysis.
According to their investigation findings, the unauthorized party managed to copy specific records from the customer database containing various types of personal information. The compromised data varies by individual but may include combinations of full names, physical addresses, email addresses, and phone numbers.
Importantly, the company emphasizes that account passwords, credit card details, and other similarly sensitive financial information remained secure and were not part of the exposed data. This distinction provides some reassurance to concerned customers about the scope of the breach.
As Canada’s prominent toy retailer operating 40 locations nationwide, Toys “R” Us Canada has taken immediate steps to strengthen its digital defenses. The organization has implemented security enhancements across its information technology infrastructure under the supervision of cybersecurity professionals.
The company is currently fulfilling its regulatory obligations by notifying appropriate Canadian privacy authorities about the data exposure incident. Affected customers are being advised to exercise caution regarding unexpected communications and to remain vigilant against potential phishing attempts that might impersonate the toy retailer to extract additional personal information.
While questions remain about the specific threat actors involved, the total number of impacted customers, and whether any ransom demands were made, the company has not yet provided additional details beyond their initial customer communications and public statements. Security experts recommend that anyone who shopped with Toys “R” Us Canada monitor their accounts and personal information for any suspicious activity.
(Source: Bleeping Computer)
