Article Details

Toys “R” Us Canada warns customers' info leaked in data breach. Toys “R” Us Canada has sent notices of a data breach to customers informing them of a security incident where threat actors leaked customer records they had previously stolen from its systems. The company discovered the data leak on July 30, 2025, when a threat actor posted on the dark web what they claimed to be Toys “R” Us customer data. Subsequent investigation of the threat actor’s claims, conducted with the help of third-party experts, confirmed that the information was indeed authentic. “On July 30, 2025, we became aware via a posting on the unindexed internet that a third-party was claiming to have stolen information from our database,” reads the letter sent to customers. “We immediately hired third-party cybersecurity experts to assist with containment and to investigate the incident.” “The investigation revealed that the unauthorized third party copied certain records form our customer database which contains personal information.” The data types that were leaked vary per individual, and may contain one or more of the following:  Toys “R” Us underlines that account passwords, credit card information, or other “similar confidential data” were not exposed. Toys “R” Us Canada, a subsidiary of Toys “R” Us, is a toy store chain operating 40 branches across the country, selling toys, video games, and clothing. Following the discovery of the breach, the company has upgraded the security of its IT systems under the guidance of cybersecurity experts. The firm also stated that it is in the process of notifying the applicable privacy regulatory authorities in Canada of the data breach. Meanwhile, the notification recipients are advised to ignore unsolicited communications and remain alert for phishing messages that impersonate Toys “R” Us and request personal information. BleepingComputer has contacted the company to ask more information about the threat actor who leaked the data, how many customers are exposed by this incident, and whether a ransom was demanded, but we have not received a response by publication. Picus Blue Report 2025 is Here: 2X increase in password cracking 46% of environments had passwords cracked, nearly doubling from 25% last year. Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.