Toys “R” Us Canada confirms customer data leak after dark-web post
Redacto
9 min read
Categories: Data Breach
The retailer says names, addresses, emails, and phone numbers were copied from a customer database. Passwords and payment data were not included, according to notices sent this week.
What happened, in brief
- Discovery date: July 30, 2025, after a post on the unindexed internet claimed access to Toys “R” Us Canada customer data.
- Verification: An investigation confirmed records were stolen and later leaked on the dark web.
- Notification window: Customers began receiving breach emails on October 23–24, 2025.
What data was exposed
Notices and media reports state the leaked dataset includes names, mailing addresses, email addresses, and phone numbers. Current reporting says passwords and credit card numbers were not involved.
What this means for customers
Even without passwords or cards, the exposed contact details can fuel phishing, spam, and targeted fraud. Expect scammers to impersonate the brand and reference recent orders or loyalty activity to elicit clicks or additional data.
Customers are encouraged to reach out if they have questions or need assistance with this issue at customerservice@toysrus.ca.
Immediate steps to take
- Treat unsolicited messages as suspicious. Do not click links in unexpected emails or texts claiming to be from Toys “R” Us Canada. Navigate directly to the official site or app instead.
- Enable multi-factor authentication on any accounts that support it, especially those that share your email address.
- Watch your inbox and phone for increased spam or spoofed messages. Use your provider’s reporting tools to block and report.
- Change reused passwords anywhere that shares your Toys “R” Us email, even though passwords were not reported stolen. Credential reuse remains a top risk.
- Monitor loyalty or retail accounts for unusual activity.
Timeline snapshot
- July 30, 2025: Company becomes aware of the claim after a post on the unindexed internet. An external firm is engaged to investigate.
- Subsequent investigation: Confirms theft of contact data.
- October 23–24, 2025: Customer notifications sent and public reporting begins.
FAQs Relating to This Story
Toys “R” Us Canada Data Leak — FAQ
Did attackers get my password or card number?
Current statements indicate the leak involved contact details such as names, mailing addresses, email addresses, and phone numbers. Passwords and payment data were not included. Still change any reused passwords and keep an eye on your accounts.
Why did notifications arrive months after the claimed theft?
The company became aware of the claim in late July and engaged outside investigators. After confirming what was taken, notifications were sent in late October. That gap reflects investigation and verification steps.
What should I watch for next?
Expect phishing and spam that reference your name or recent shopping. Be cautious with messages about order issues or loyalty accounts. Do not click message links. Go directly to the official site or app to check your account.
