Toys “R” Us Canada warns prospects’ information leaked in data breach

Toys “R” Us Canada has despatched notices of a data breach to prospects informing them of a security incident the place risk actors leaked buyer data that they had beforehand stolen from its programs.

The corporate found the information leak on July 30, 2025, when a risk actor posted on the darkish net what they claimed to be Toys “R” Us buyer knowledge.

Subsequent investigation of the risk actor’s claims, carried out with the assistance of third-party consultants, confirmed that the data was certainly genuine.

“On July 30, 2025, we grew to become conscious through a posting on the unindexed web {that a} third-party was claiming to have stolen info from our database,” reads the letter despatched to prospects.

“We instantly employed third-party cybersecurity consultants to help with containment and to research the incident.”

“The investigation revealed that the unauthorized third get together copied sure data kind our buyer database which incorporates private info.”

The information varieties that have been leaked range per particular person, and should include a number of of the next: 

• Full title
• Bodily handle
• Electronic mail handle
• Cellphone quantity

Toys “R” Us underlines that account passwords, bank card info, or different “related confidential knowledge” weren’t uncovered.

Toys “R” Us Canada, a subsidiary of Toys “R” Us, is a toy retailer chain working 40 branches throughout the nation, promoting toys, video video games, and clothes.

Following the invention of the breach, the corporate has upgraded the security of its IT programs beneath the steerage of cybersecurity consultants.

The agency additionally said that it’s within the strategy of notifying the relevant privateness regulatory authorities in Canada of the data breach.

In the meantime, the notification recipients are suggested to disregard unsolicited communications and stay alert for phishing messages that impersonate Toys “R” Us and request private info.

BleepingComputer has contacted the corporate to ask extra details about the risk actor who leaked the information, what number of prospects are uncovered by this incident, and whether or not a ransom was demanded, however we’ve got not obtained a response by publication.