Toys “R” Us Canada has notified customers that threat actors leaked customer records they say were stolen from the company’s systems after a posting on the unindexed internet on July 30, 2025.
Following the posting, the company engaged third-party cybersecurity experts and said a subsequent investigation confirmed the information was authentic; one report summarizing the confirmation is available here.
The notification letter to customers states the company immediately hired external experts to assist with containment and to investigate the incident.
Toys “R” Us Canada said the copied customer records may include full name, physical address, email address and phone number, and that account passwords, credit card information and other similar confidential data were not exposed.
The company, a subsidiary that operates 40 stores across Canada, said it has upgraded IT security under the guidance of cybersecurity experts and is in the process of notifying the applicable Canadian privacy regulators. It advised customers to ignore unsolicited communications and remain alert for phishing attempts impersonating the retailer.
Attempts to obtain further details about the threat actor, the number of affected customers and whether a ransom was sought were not answered by the company before publication.