Toys “R” Us Canada has confirmed a significant data breach that saw customer information copied from its systems and posted online by unknown attackers. The incident was revealed in breach notification emails sent to affected customers on October 23, after the company first became aware of suspicious online posts on July 30, 2025 that claimed stolen data from the retailer’s database.
According to the notifications and public reports, the compromised data includes names, mailing addresses, email addresses and phone numbers pulled from the company’s customer records. Toys “R” Us Canada stressed that no passwords, credit card numbers or other highly sensitive financial information were involved in the breach.
After learning of the claim, the company engaged third-party cybersecurity experts to contain the incident and conduct a forensic investigation, which verified that the personal data had indeed been accessed and copied by an unauthorized third party. Toys “R” Us Canada is also in the process of reporting the breach to Canadian privacy regulators.
Despite confirming the leak, the retailer has not disclosed how many individuals were affected, how the attackers gained access, nor whether any extortion attempt was made ahead of the data appearing online. Questions remain about the timeline between the initial compromise and the delayed notification to customers.
Cybersecurity professionals warn that even without passwords or payment details, exposed contact information can fuel phishing, identity fraud and targeted social-engineering attacks if fraudsters attempt to exploit the data. Toys “R” Us Canada has advised customers to remain vigilant against unsolicited emails, texts or calls that could be scams, and to avoid clicking links or revealing further personal information to unverified contacts.
The breach adds Toys “R” Us Canada to a growing list of retail data incidents in recent years, underscoring ongoing challenges in protecting consumer data against increasingly sophisticated cyber threats.
