Toys ‘R’ Us Canada has disclosed a data breach, which it learned about after attackers posted stolen customer information on the “unindexed internet.”
The Canadian chain of toy stores started reaching out to individuals whose data may have been exposed in the three-month-old data breach. According to the company, it learned about attackers’ claims that they accessed Toys ‘R’ Us customer data during the last days of July.
It is not entirely clear what the company means by “unindexed internet,” but the most likely explanation would be the dark web. Ransomware gangs and attackers often post stolen details on the dark web to hide from law enforcement.
We have reached out to the company for clarification about this and the number of exposed individuals and will update the article once we receive a reply.
@Lbabinz Toys R Us Canada was hacked July 30th. Customers name, address, email and phone numbers have been stolen. Passwords and credit cards (hopefully) unaffected. Took them 3 months to let customers know. pic.twitter.com/QWfnD8XuKx
undefined Deacon Ross (@Deekman) October 23, 2025
The breach notice that Canada’s Toys ‘R’ Us shared with customers claims that the company immediately hired a cybersecurity firm to investigate the incident. Unfortunately for the toy stores’ customers, a subsequent investigation revealed that the data posted on the dark web indeed was taken from Toys ‘R’ Us systems.
“The investigation found that a subset of our customer records was copied from our database. These records may have contained all or some of the following personal information relating to you: names, address, email, and phone number,” reads the data breach notice.
Attackers could exploit the leaked details to attempt identity theft and financial fraud or target the exposed individuals with phishing attacks. Individuals whose personal details are leaked online face increased privacy risks and need to be wary of unwarranted email messages and other communications.
Meanwhile, Toys ‘R’ Us Canada stressed that no passwords, credit card details, or other confidential data were involved in the hacker attack. The company was also not aware of any incidents where user details may have been abused.
The company’s data breach notice advised customers to never respond to unsolicited requests for information, stay vigilant about spoofing, and never click on suspicious links or download suspicious attachments.
Unlike its American counterpart, the Canadian branch of Toys ‘R’ Us survived the 2018 bankruptcy. Toys ‘R’ Us Canada operates around 80 stores in the North American nation, with reported revenue hovering around $700 million.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked