Toys "R" Us Canada suffered a data breach in July, where threat actors accessed and leaked customer information on the dark web. The exposed data included names, email addresses, physical addresses, and phone numbers though no financial details (e.g., credit cards or passwords) were compromised. The breach heightened risks of identity theft and phishing scams targeting affected shoppers. The company promptly notified customers, aligning with regulatory requirements like Canada’s PIPEDA. While the intrusion method remains speculative, reports suggest potential ties to broader campaigns exploiting software vulnerabilities, such as OAuth token abuse via integrations like Salesloft’s Drift or CL0P’s targeting of Oracle E-Business Suite systems. The incident underscores challenges in securing legacy systems amid digital transformation, with experts emphasizing the need for data minimization and robust threat detection. Customers were advised to monitor for suspicious activity and enhance security measures like two-factor authentication. The breach has sparked industry discussions on zero-trust architectures and third-party vendor risks, while regulators may impose fines if negligence is confirmed.
Source: https://www.webpronews.com/toys-r-us-canada-data-breach-leaks-customer-info-on-dark-web/
TPRM report: https://www.rankiteo.com/company/toys'r'us-canada
"id": "toy2192021102525",
"linkid": "toys'r'us-canada",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'toys/retail',
'location': 'Canada',
'name': 'Toys "R" Us Canada',
'size': 'mid-tier (independent post-2018 U.S. '
'bankruptcy)',
'type': 'retailer'}],
'attack_vector': ['potential OAuth token exploitation (Salesloft’s Drift)',
'third-party vendor vulnerability',
'cloud-based service attack'],
'customer_advisories': ['email notifications sent to affected individuals',
'guidance on recognizing suspicious communications'],
'data_breach': {'data_exfiltration': 'yes (leaked on dark web)',
'personally_identifiable_information': ['names',
'email addresses',
'physical addresses',
'phone numbers'],
'sensitivity_of_data': 'moderate (no financial/password data, '
'but high phishing risk)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)']},
'date_detected': '2023-07',
'description': 'Toys "R" Us Canada confirmed a significant data breach dating '
'back to July, where threat actors accessed and leaked '
'customer personal details (names, email addresses, physical '
'addresses, phone numbers) on the dark web. While no financial '
'data (credit cards, passwords) was compromised, the incident '
'heightens risks of identity theft and phishing scams. The '
'breach aligns with broader campaigns exploiting software '
'vulnerabilities (e.g., OAuth token abuse via Salesloft’s '
'Drift, CL0P ransomware targeting Oracle E-Business Suite). '
'Toys "R" Us responded by notifying affected customers and '
'emphasizing data minimization and zero-trust architectures as '
'preventive measures.',
'impact': {'brand_reputation_impact': 'moderate (proactive disclosure '
'mitigated damage, but risk of '
'phishing/social engineering persists)',
'data_compromised': ['names',
'email addresses',
'physical addresses',
'phone numbers'],
'identity_theft_risk': 'high (exposed PII enables phishing/social '
'engineering)',
'legal_liabilities': 'potential fines under PIPEDA (Canada’s '
'privacy law)',
'payment_information_risk': 'none (no financial data compromised)'},
'initial_access_broker': {'data_sold_on_dark_web': 'yes',
'entry_point': ['potential OAuth token abuse '
'(Salesloft’s Drift integration)',
'third-party vendor compromise'],
'high_value_targets': ['customer PII databases']},
'investigation_status': 'ongoing (potential links to OAuth exploitation '
'campaigns under scrutiny)',
'lessons_learned': ['Importance of data minimization (storing only essential '
'customer information)',
'Risks of third-party vendor vulnerabilities (e.g., '
'Salesforce integrations)',
'Need for regular penetration testing and zero-trust '
'architectures',
'Proactive disclosure mitigates reputational damage',
'Consumer education on phishing risks post-breach is '
'critical'],
'motivation': ['financial gain (data monetization on dark web)',
'potential extortion'],
'post_incident_analysis': {'corrective_actions': ['Review third-party vendor '
'security protocols',
'Implement stricter access '
'controls (e.g., '
'zero-trust)',
'Enhance customer data '
'protection measures '
'(encryption, '
'minimization)'],
'root_causes': ['Potential exploitation of '
'third-party software '
'vulnerabilities (e.g., Salesforce '
'integrations)',
'Legacy system security gaps '
'during digital transformation',
'Lack of data encryption for '
'stored PII']},
'ransomware': {'data_exfiltration': 'yes (leaked on dark web)'},
'recommendations': ['Adopt zero-trust security models',
'Implement AI-driven threat detection for anomalies',
'Conduct third-party vendor audits (especially cloud/SaaS '
'integrations)',
'Enhance encryption for stored PII',
'Promote customer adoption of 2FA and credit freezes',
'Collaborative threat intelligence sharing across retail '
'sector'],
'references': [{'source': 'CBC News'},
{'source': 'The Register'},
{'source': 'BleepingComputer'},
{'source': 'Cloudflare (Drift-Salesloft OAuth flaw report)'},
{'source': 'Global News'}],
'regulatory_compliance': {'regulations_violated': ['potential PIPEDA '
'(Canada’s Personal '
'Information Protection '
'and Electronic Documents '
'Act)'],
'regulatory_notifications': 'yes (customer '
'notifications aligned '
'with PIPEDA '
'requirements)'},
'response': {'communication_strategy': ['email notifications to affected '
'customers',
'public disclosure via media (CBC '
'News)'],
'incident_response_plan_activated': 'yes (proactive customer '
'notification)',
'remediation_measures': ['customer advisories',
'encouraged 2FA adoption']},
'stakeholder_advisories': ['customers urged to monitor for phishing attempts',
'recommendations for 2FA and credit freezes'],
'title': 'Toys "R" Us Canada Data Breach Exposes Customer Information on Dark '
'Web',
'type': ['data breach', 'unauthorized access', 'data leak'],
'vulnerability_exploited': ['Salesforce integration flaw (Drift-Salesloft)',
'potential Oracle E-Business Suite vulnerability']}