Toys “R” Us Canada has sent notices of a data breach to customers informing them of a security incident where threat actors leaked customer records they had previously stolen from its systems.
The company discovered the data leak on July 30, 2025, when a threat actor posted on the dark web what they claimed to be Toys “R” Us customer data.
Subsequent investigation of the threat actor’s claims, conducted with the help of third-party experts, confirmed that the information was indeed authentic.
“On July 30, 2025, we became aware via a posting on the unindexed internet that a third-party was claiming to have stolen information from our database,” reads the letter sent to customers.
“We immediately hired third-party cybersecurity experts to assist with containment and to investigate the incident.”
“The investigation revealed that the unauthorized third party copied certain records form our customer database which contains personal information.”
The data types that were leaked vary per individual, and may contain one or more of the following:
Full name
Physical address
Email address
... continue reading