Toys “R” Us Canada recently disclosed that it experienced a data breach affecting customer information. The company discovered the incident after attackers claimed to have accessed and posted details on an “unindexed internet” forum, a term likely referring to dark-web sources. According to the company’s notification, the breach began in late July 2025. Toys “R” Us noted that attackers had copied a subset of its customer database sometime around July 30, and only later did the company detect, investigate, and notify those whose data may have been exposed.
What data may have been exposed?
The company’s breach notice stated that the stolen records may have included any or all of the following: customer names, physical mailing addresses, email addresses, and phone numbers. No claim was made that payment card data, passwords, or financial account information were accessed.
Toys “R” Us emphasized that it is not aware of any misuse of the data at present, though it cautioned that the exposed information could be used for phishing attacks, identity fraud, or other malicious activity.
Upon learning of the breach claim, Toys “R” Us engaged outside cybersecurity specialists to investigate. The firm reached out to impacted customers via notification letters, mainly in Canada, informing them of their exposure and providing guidance on what to do next.
The company’s notice also advised recipients to remain vigilant against unsolicited requests for personal information, spoofed communications, suspicious attachments or links, and to monitor their account statements and credit reports regularly.
While the breach did not reportedly involve sensitive financial details or passwords, the exposure of contact information, mailing addresses, and email addresses is still significant. These are exactly the kinds of data points scammers and identity thieves can use to craft plausible impersonation or phishing campaigns.
What’s more, the delayed discovery adds risk. The fact that attackers may have had access for several months before notification increases the period in which data misuse might occur unnoticed. The retail chain’s size and the number of customers served mean the scope could be large even though precise numbers have not been released.
What to do if you receive the notice
If you shopped at Toys “R” Us Canada and received a notice, treat it seriously. Even though no payment data was reported as stolen, you should still review statements, monitor your email for unusual messages, and consider whether any unsolicited calls or messages reference your account or purchases.
Be especially alert for emails or calls purportedly from the store, asking you to confirm or reset information, offers that seem to reference purchases you did not make, as well as any login attempts or account changes on services where you might reuse the same email. Use unique passwords for different accounts, enable multi-factor authentication whenever available, and place a free fraud alert with the relevant credit bureau in Canada.
The Toys “R” Us Canada incident serves as a reminder that even well-known retail brands are vulnerable to data theft. Even when credit card details are not involved, the exposure of names, contact details, and addresses can set the stage for future fraud.
What matters now is how quickly affected individuals act and how seriously the company follows through with remediation. For many consumers, the key will be remaining alert, using strong security habits, and recognising that identity risk extends beyond the wallet.