Toys “R” Us Canada has informed its customers that their personal information may have been compromised in a recent data breach, raising fresh concerns over cybersecurity practices among Canadian retailers.
Quick Summary – TLDR:
- Toys “R” Us Canada confirmed a data breach that exposed customer data including names, addresses, emails, and phone numbers.
- The company became aware of the breach on July 30, 2025, when stolen data appeared on the unindexed internet.
- No passwords, credit card numbers, or financial information were involved, according to the company.
- Customers are being warned to avoid suspicious emails or texts that may be phishing attempts.
What Happened?
Toys “R” Us Canada discovered the breach on July 30, 2025, when a threat actor posted stolen data online, claiming it came from the company’s database. The data was shared on the unindexed internet, possibly referring to the deep web or dark web. Cybersecurity experts were immediately brought in to investigate the situation.
The investigation confirmed that an unauthorized third party had copied certain customer records from the company’s systems. Although sensitive financial data such as credit card information and passwords were not compromised, the breach did involve personally identifiable information like names, addresses, phone numbers, and emails.
🚨🇨🇦 Toys R Us Canada has had data dumped and the company has notified users.
— Dark Web Informer (@DarkWebInformer) October 23, 2025
Data Leak: Names, addresses, phone numbers, and emails pic.twitter.com/1fBu6151uq
Data Breach Details and Company Response
Once the threat was detected, Toys “R” Us Canada quickly enlisted the help of third-party cybersecurity professionals to contain the data breach and assess its scope. The following information was found to be affected:
- Full names
- Email addresses
- Phone numbers
- Mailing addresses
The company sent out a notification to affected customers on Thursday morning, several days after the breach was discovered. That delay has raised questions, especially since the Office of the Privacy Commissioner of Canada mandates that companies notify customers of data breaches “as soon as feasible.”
In a statement to customers, the company said:
Toys “R” Us Canada also noted that it is in the process of reporting the breach to the relevant privacy regulators and has involved legal counsel for further assistance.
Customer Advisory and Ongoing Risks
Toys “R” Us Canada is urging customers to be cautious of unsolicited messages, phishing emails, or spoofing attempts that might follow the breach. These scams often mimic trusted sources to steal more sensitive information.
Here are a few safety tips shared by the company:
- Do not open links or attachments from unknown or suspicious emails.
- Ignore unsolicited messages pretending to be from Toys “R” Us.
- Watch for email addresses with subtle misspellings or extra symbols pretending to be legitimate company contacts.
The company operates 40 locations across Canada and sells a range of toys, games, and clothing. It has not disclosed how many customers were affected, nor how the breach initially occurred.
This incident adds to a growing list of cybersecurity threats targeting Canadian organizations. In the past year, breaches have impacted Canadian Tire Corp., Nova Scotia Power, the College of New Caledonia, and PowerSchool.
SQ Magazine Takeaway
I’ve got to say, this is becoming all too common. We put our trust in brands like Toys “R” Us to protect our personal details, but even household names are falling short. The fact that basic contact information was exposed may not sound critical at first, but it opens doors for scammers, spammers, and phishers. It’s frustrating to see companies delay disclosure, especially when time matters most in reducing risk. I hope Toys “R” Us Canada truly steps up its security game, because customer trust is not something you can patch with a software update.
