Toys “R” Us Canada has officially confirmed a data breach that exposed customer information following a cyberattack discovered on July 30, 2025. The company began sending notification letters to affected individuals after confirming that threat actors leaked stolen customer data on the dark web.
The breach came to light when cybersecurity researchers and company analysts found a dark web post claiming to offer stolen data belonging to Toys “R” Us Canada customers. Upon immediate investigation, the retailer engaged third-party cybersecurity experts to assess the situation. Their findings verified that the leaked data was authentic and indeed originated from the company’s systems.
According to the company’s official customer notification letter, “On July 30, 2025, we became aware via a posting on the unindexed internet that a third party was claiming to have stolen information from our database. We immediately hired cybersecurity experts to assist with containment and to investigate the incident.”
The investigation determined that an unauthorized third party copied specific customer records from the company’s database. The compromised information may include full names, physical addresses, email addresses, and phone numbers, depending on the individual case. Fortunately, the retailer emphasized that no passwords, credit card numbers, or other sensitive financial details were affected by the breach.
Toys “R” Us Canada, which operates around 40 stores nationwide, sells toys, video games, and children’s clothing. The company confirmed that it has enhanced the security of its IT infrastructure in cooperation with external cybersecurity professionals to prevent similar incidents in the future.
Additionally, the company has reported the breach to relevant privacy regulators in Canada as required by law. Customers affected by the incident have been urged to remain vigilant and to ignore any suspicious emails or phone calls that may appear to come from Toys “R” Us or request personal data. Phishing attempts are common following such incidents, and threat actors often impersonate legitimate companies to trick victims into disclosing further information.
Cybersecurity experts advise users to verify the authenticity of any messages claiming to be from Toys “R” Us and to monitor their online accounts for unusual activity. They also recommend using unique passwords across different platforms to minimize risk in case of further exposure.
Conclusion:
This latest breach at Toys “R” Us Canada serves as a critical reminder of the ongoing cybersecurity challenges faced by retail businesses managing customer data. While the company’s swift response and transparency are commendable, the incident underscores the importance of proactive data protection strategies, robust encryption practices, and consumer awareness in an age of increasingly sophisticated cyber threats.
