-
On July 30, 2025, Toys “R” Us Canada found unauthorized access to its customer database, as threat actors posted on the unindexed internet about the stolen information.
-
The breach took customers’ names, physical addresses, emails, and mobile numbers, but the company assures that no sensitive financial details were among them.
-
Cybersecurity experts admonish the victims to look for potential targeted phishing schemes, as bad actors may come for more information.
The Canadian subsidiary of American toy giant Toys “R” Us has confirmed a data breach that impacts customer information after threat actors posted stolen personal information on the dark web. The retailer, which operates 40 locations in Canada, sells toys, games, and child-related products, notified shoppers whose information was known to be included once the third party advised that the information had been accessed.
Based on incident notification letters that affected shoppers received, the company became aware of the security compromise on July 30, 2025, when a third-party posted on the unindexed internet claiming it had obtained information from the company’s database. This follows a recent trend of major companies dealing with dark web leaks, as seen in the recent Qantas data breach.
“We learned on July 30, 2025, through a post on the unindexed Internet that a third-party was claiming to have stolen data from our database,” the company stated. The store took prompt action by using cybersecurity pros who know their onions to dig into the matter and implement containment protocols.
The investigation revealed that the attackers were able to access and steal customers’ names, physical addresses, emails, as well as mobile numbers from their database. The retailer, along with some of its cybersecurity professionals, has provided reassurances that the commission’s alleged report did not include the more sensitive data and that no account login credentials, credit card information, or similar sensitive information was allegedly involved in the incident.
Ambiguous Attack Vector and Timeline
Irrespective of the public confirmation about the breach by Toys “R” Us Canada, the retailer still has key details concerning this incident down low. As such, the number of affected customers is unknown, as well as the origin of the breach, the source, and the attack vector.
In the industry, it is assumed that phishing, compromised credentials, cloud misconfigurations, and unpatched vulnerabilities in internet-facing systems are among the most common attack vectors in data breaches. No cybercrime organization has stepped up to claim responsibility at the time of reporting. This stands in contrast to other recent incidents, such as when hackers publicly claimed an HSBC USA breach on the dark web, though the bank denied it. The retailer did not state whether any ransom demands were made.
In addition, while it is virtually impossible to absolutely determine, the potential nature of the cyber incident does still seem unlikely to be ransomware because the toy store’s operations do not appear to be affected, and ransomware typically impacts cyber operations resulting from cyber extortion. The fact that the threat actor has made the content stolen breach publicly accessible on the dark web suggests that either they lost interest in extortion, or potentially failed ransom negotiations entirely.
Targeted Phishing Campaigns Heighten
Cybersecurity experts have warned about the increasing number of targeted phishing attacks after the breach. A Consumer Privacy Advocate at Comparitech, Paul Bischoff, stated, “bad actors can utilize the stolen details to personalize their fraudulent messages, to manipulate unaware recipients.”
Toys “R” Us customers should look out for targeted phishing schemes via emails and text messages from imposters or a related firm,” Bischoff said. “These bad actors can collect relevant information to personalize their targets’ profiles and launch convincing communications.”
Toys “R” Us Canada is also encouraging its customers to beware of anything claiming to come from their brand at this time. Specifically, the retailer told shoppers not to engage with anyone claiming to represent them over email or phone who is requesting personal information and seems unsolicited or unexpected, and not to provide personal information, as well as not to click on links or download attachments from emails that seem suspicious.
The firm apologized for the breach and set out to level up its security system against similar incidents in the future.
Our Take: A Failure of Timely Disclosure
Let’s be clear: while it’s a relief that credit card details weren’t stolen, Toys “R” Us dropped the ball by taking so long to tell its customers about the breach. That delay left people unaware and vulnerable for weeks. Cybercriminals can do a lot with just your name, address, and email. They’re already using this data to craft convincing phishing emails and texts right now. The company created a dangerous gap between the breach and the warning.
A company’s biggest responsibility after a hack isn’t just to investigate—it’s to protect its customers by giving them the facts, fast. On that front, Toys “R” Us fell short. Saying “no sensitive data was taken” feels like a weak excuse when the data that was taken can still be used to scam people. Customers deserved better.
