Toys “R” Us Canada is notifying customers of a data breach that leaked their personal details after threat actors published the stolen information on the dark web.
The subsidiary of the American giant, Toys “R” Us, sells toys, dolls, action figures, learning games, building blocks, video games, clothing, and more across 40 locations in Canada.
According to incident notification letters sent to impacted customers, the toy store discovered that an unauthorized entity had accessed and copied personal details from its customer database on July 30.
“On July 30, 2025, we became aware via a posting on the unindexed internet that a third-party was claiming to have stolen information from our database,” it stated.
It responded by immediately engaging the services of experienced third-party cybersecurity experts to assist in investigating the incident and applying containment measures.
Toys “R” Us Canada confirms data breach
The investigation determined that the attacker had accessed customers’ names, physical addresses, email addresses, and phone numbers. However, the data breach did not leak shoppers’ account login credentials, credit card details, or other sensitive information.
“We’d like to stress that no passwords, credit card details, or similar confidential data were involved in this incident,” it assured customers.
Meanwhile, the toy store has not disclosed how many people were affected, when the data breach occurred, the identity of the threat actor, or the attack vector exploited.
However, phishing, compromised credentials, cloud misconfigurations, and unpatched vulnerabilities are among the leading causes of data breaches.
Similarly, no cybercrime gang has claimed responsibility for the Toys “R” Us Canada data breach at the time of publication, and the company has not disclosed receiving any ransom demands.
While the nature of the cyberattack remains unclear, it appears to have had no impact on the toy store’s operations, thus ruling out a ransomware attack, which typically results in cyber extortion.
Additionally, since the threat actor had already published the stolen customer data on the dark web, they were likely uninterested in extorting the company, or ransom negotiations had failed.
“Negative points for Toys ‘R’ Us for taking so long to reveal the breach, although it may have taken them that long to determine what data had been stolen,” said Chris Hauk, Consumer Privacy Champion at Pixel Privacy. “While it is lucky that no truly sensitive data (like credit card numbers or passwords) were stolen, the information that was taken could be used by bad actors to phish for additional information. This means Toys ‘R’ Us customers will need to grow up and stay alert for texts or emails posing as Toys ‘R’ Us looking to glean more information.”
Customers should remain vigilant
Meanwhile, Toys “R” Us Canada has urged customers to remain vigilant and avoid sharing personal information with anyone purporting to work for the company via email or phone.
They should also be wary of unsolicited or unexpected communications and avoid clicking on embedded links or downloading unknown attachments in suspicious emails to avoid phishing.
“Toys ‘R’ Us customers should be on the lookout for targeted phishing emails and text messages from scammers posing as Toys ‘R’ Us or a related company,” reiterated Paul Bischoff, Consumer Privacy Advocate at Comparitech. “The scammers can use the info from the breach to personalize their messages and make them more convincing.”
The company has also apologized for the data breach and implemented additional security measures to prevent a similar data breach in the future.
“We regret any inconvenience or concern this incident may cause you,” the company lamented. “We are committed to further improving our security and are working continually to upgrade our systems to prevent a similar incident from happening again.”
The toy store is also in the process of notifying relevant authorities, including the Office of the Privacy Commissioner of Canada, which has confirmed it is aware of the incident.
While Toys “R” Us Canada has yet to disclose the details of the breach, the leaked data closely resembles customer marketing information exposed in previous Salesforce-related incidents affecting multiple organizations.
