Security Alert: Toys “R” Us Canada Experiences Data Breach, Customer Information Compromised

Toys “R” Us Canada Data Breach: Customer Records Leaked

Toys “R” Us Canada recently notified its customers about a concerning security incident involving a data breach. The company revealed that threat actors had accessed and leaked customer records from their systems.

The discovery of the data leak occurred on July 30, 2025, when a threat actor made a post on the dark web claiming to have obtained Toys “R” Us customer data.

Upon further investigation with the assistance of third-party experts, it was confirmed that the leaked information was indeed authentic.

Customers were informed through a letter stating, “On July 30, 2025, we were made aware of a third-party claiming to have stolen information from our database. We immediately engaged third-party cybersecurity experts to contain the situation and conduct a thorough investigation.”

It was determined that the unauthorized third party had copied certain records from the customer database, potentially exposing personal information such as full names, physical addresses, email addresses, and phone numbers.

However, Toys “R” Us emphasized that sensitive data like account passwords and credit card information were not compromised in the breach.

Toys “R” Us Canada, a subsidiary of the renowned toy store chain, operates 40 branches nationwide, offering a wide range of products including toys, video games, and clothing.

Following the breach, the company took immediate steps to enhance the security of its IT systems under the guidance of cybersecurity experts.

Additionally, Toys “R” Us is in the process of notifying relevant privacy regulatory authorities in Canada regarding the data breach incident.

Customers who received the notification are advised to be cautious of unsolicited communications and phishing attempts that impersonate Toys “R” Us and request personal information.

Despite reaching out to the company for more details on the threat actor, the extent of customer exposure, and potential ransom demands, BleepingComputer has not received a response as of publication.

46% of environments experienced password cracking, nearly double from the previous year’s 25%.

Access the Picus Blue Report 2025 for comprehensive insights into prevention, detection, and data exfiltration trends.

Get the Blue Report 2025