Toys “R” Us Canada has despatched notices of an information breach to clients informing them of a safety incident the place menace actors leaked buyer information they’d beforehand stolen from its methods.
The corporate found the information leak on July 30, 2025, when a menace actor posted on the darkish net what they claimed to be Toys “R” Us buyer knowledge.
Subsequent investigation of the menace actor’s claims, carried out with the assistance of third-party specialists, confirmed that the data was certainly genuine.
“On July 30, 2025, we turned conscious by way of a posting on the unindexed web {that a} third-party was claiming to have stolen data from our database,” reads the letter despatched to clients.
“We instantly employed third-party cybersecurity specialists to help with containment and to research the incident.”
“The investigation revealed that the unauthorized third occasion copied sure information kind our buyer database which incorporates private data.”
The info sorts that have been leaked range per particular person, and will comprise a number of of the next:
- Full identify
- Bodily handle
- E mail handle
- Telephone quantity
Toys “R” Us underlines that account passwords, bank card data, or different “related confidential knowledge” weren’t uncovered.
Toys “R” Us Canada, a subsidiary of Toys “R” Us, is a toy retailer chain working 40 branches throughout the nation, promoting toys, video video games, and clothes.
Following the invention of the breach, the corporate has upgraded the safety of its IT methods beneath the steerage of cybersecurity specialists.
The agency additionally said that it’s within the strategy of notifying the relevant privateness regulatory authorities in Canada of the information breach.
In the meantime, the notification recipients are suggested to disregard unsolicited communications and stay alert for phishing messages that impersonate Toys “R” Us and request private data.
BleepingComputer has contacted the corporate to ask extra details about the menace actor who leaked the information, what number of clients are uncovered by this incident, and whether or not a ransom was demanded, however now we have not acquired a response by publication.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
