If you’re a customer of Canadian toy giant Toys’R’Us and like to spend money on their website, your identity may have been stolen by a hacker.

In a press release forwarded to the Rural Alberta Report Oct. 23 by a reader the toy retailer acknowledged their online data storage had been hacked, although the retailer claims only names and addresses, not financial data, were compromised.

“Re: Notice of a Cybersecurity Incident,” began the Toys R Us email. “We are writing to inform you of a cybersecurity incident recently discovered by Toys’R’Us that resulted in unauthorized access to a portion of our customer database containing personal information. We are sending you this message because your personal information was among the data we believe was affected.”

According to the email Toys’R’Us wasn’t originally aware data was breached. “On July 30, 2025, we became aware via a posting on the unindexed internet that a third party was claiming to have stolen information from our database. We immediately hired third-party cybersecurity experts to assist with containment and to investigate the incident. The investigation revealed that the unauthorized third party copied certain records from our customer database which contains personal information.

“While we already have strong protections in place across our...systems, in consultation with our third-party cybersecurity experts, we have implemented a number of enhanced security measures to prevent a similar incident occurring in future. We are in the process of reporting this matter to the applicable privacy regulatory authorities and we have engaged specialized legal counsel to assist us in this process.

“The investigation found that a subset of our customer records was copied from our database. These records may have contained all or some of the following personal information relating to you: name, address, email and phone number. We’d like to stress that no passwords, credit card details or similar confidential data were involved in this Incident.

“We are not aware of any evidence that suggests any of this information has been misused for fraudulent purposes.”

For reader’s information, “the unindexed internet” the retailer refers to may mean “the deep web.” According to a Wikipedia page, “The deep web, invisible web, or hidden web are parts of the World Wide Web whose contents are not indexed by standard web search-engine programs.”

However, it may also refer to “the dark web,” which Wikipedia defines thusly: “The dark web is the World Wide Web content that exists on darknets that use the Internet, but require specific software, configurations, or authorization to access.” It’s accepted that the deep web is frequented by criminal computer hackers and organized crime. The Wikipedia entry includes the following sub-topics on the deep web: ransomeware, hacking groups, fraud, illegal pornography and terrorism.

While other media outlets such as CBC and Global have reported the Government of Canada is aware of this data beach, as of Oct. 23 the Canadian Centre for Cybersecurity website contained no mention at all of the Toys’R’Us incident.

What was Toys’R’Us’ advice for those who may or may not have had their identity stolen? The company provided basic internet safety advice which mostly amounts to “Do not share your personal information with a stranger on the internet” and don’t open or click on strange, unexpected emails.

The retail giant closed their email with a comment that closely resembled an apology. “We regret any inconvenience or concern this incident may cause you,” stated Toys’R’Us.