MyPup: Privacy violations

In exactly --d --:--:-- a dump of __.___ MyPup user account records will be made publicly available. If you are a client of MyPup and wish to remove your users information from this dump, please read below. The goal is for MyPup to take accountability, not to cause harm.

Breach Statistics

  • Date of BreachJuly 7th, 2025
  • Time to Publication--d --:--:--
  • Accounts Exposed--
  • Removed Pick-Up Points-- / --
  • Removed Groups-- / --

Update 2 Mar 8, 2026

This update is a response to MyPup's official statement regarding the data breach.

"We want to be clear that the suggestion that MyPup took no action or lacked transparency is incorrect. Throughout the entire process, we have communicated openly and taken every required step promptly and thoroughly."

This statement is false. MyPup did not communicate anything to their users after receiving the full list of affected users, which misled users to believe that only 92 account records had been confirmed as leaked, when the actual number was closer to 60,000.

More importantly, MyPup did not inform affected users that it had violated its own privacy policy by illegally retaining personal data. Only after the pressure created by this website did MyPup publicly admit that it had retained user data in violation of its own policy.

I would like to invite all users who believe their account should have already been deleted as of July 7, 2025 to consider taking legal action if their account record is part of the published data breach. Under European law, you have the right to compensation for damages caused by negligence. Since MyPup violated its own binding privacy policy, you have a very strong case to claim monetary compensation.

If you have any questions about this, please send me an email.

"​The online report misrepresents the incident in several significant ways: it displays a full user record containing name and email address and other details that were not present in the attacker's own evidence files and are way more detailed than what our system ever returned."

This statement is false and should be corrected by MyPup. On March 3, the company released a statement confirming that it had received evidence showing that the leaked user records do in fact contain email addresses, phone numbers, names, pick-up point names, addresses, and delivery codes.

"The online report serves a single purpose: to spread fear among users and customers, damage MyPup commercially, and use our clients and their tenants as leverage."

This statement is false. This website serves the purpose of forcing MyPup to transparently inform their users about the its privacy violations and the unprofessional state of information security at the company. This goal has been (partly) achieved and would not have happened if it weren't for this website.

"The site claims we are negotiating: no, we are not in negotiation with the hacker."

I never claimed to be negotiating with MyPup.

"​Unfortunately, due to further security measures, we can neither confirm nor deny if your account is part of this data set. This would be a security risk on its own."

This is not true. A secure way to verify whether an account was part of the data breach could easily be set up, as MyPup has the full list of breached accounts. MyPup chooses not to do this.

If you want to know whether your account was part of the breach anyway, send me an email.

"A brute-force enumeration attack was carried out, in which random telephone numbers or email addresses were tested to see which ones existed. You can compare this to trying different combinations on a numerical lock until the correct one is found."

This is a misleading oversimplification. If you want to stay with the numerical lock analogy: MyPup exposed all but 4 digits of the code and allowed an attacker to iteratively guess the remaining 4 digits independently, meaning a code could be "brute-forced" in less than 20 guesses on average...

"This individual demanded nearly €90.000 in Bitcoin. He fabricated a charity scheme by using the name of Bits of Freedom, an organisation that confirmed they had no involvement."

I did not fabricate any “scheme.” Since it was clear to me that MyPup was not going to inform their users about their privacy violations, I decided that a fair compromise would be for MyPup to donate €1.50 per affected user to a charity fighting for consumer privacy. The donation had to be made in Bitcoin, as I did not want MyPup to later request a refund for their donation.

MyPup initially agreed to this proposal but later backed out, stating that they did not consider €1.50 per affected user appropriate. While Bits of Freedom was not knowingly involved, I did inquire about making a substantial crypto donation to the organization. Email correspondence confirming this can be provided upon request.

"The day after his payment deadline passed, he built infrastructure to sabotage login functionality for MyPup and other customers."

I have no idea what this is referring to, and I would like MyPup to elaborate on this claim.

"Finally, he spreads false claims about client terminations to manufacture commercial pressure."

At no point did I claim that any client has terminated their contract with MyPup. I do not know where MyPup is getting this information from. Again, I would like MyPup to elaborate on this claim.

"The suggestion to terminate contracts comes directly from the extortion campaign and is designed to create commercial pressure on MyPup."

This is false. As clearly explained on my website, I would like MyPup's clients to terminate their contracts because I do not believe MyPup has the expertise or the care required to properly handle PII. By reducing the number of Pick-Up Points, the number of users at risk is also reduced. There is no extortion campaign.

I hope that instead of putting this much effort into discrediting me as a privacy activist, MyPup will instead take some accountability and reflect on its actions.

Update Mar 8, 2026

Because I have a large backlog of emails I still want to reply to, and because I haven't found the time to write a proper reply to MyPup's accusations yet, I have decided to postpone the publication of the leaked data.
- Eelke

P.S.: I had to remove some information from the clearnet version of this site in order to comply with the hosting provider's ToS.

Update Feb 28, 2026

MyPup claims the records on this website are "enriched with third party data". This is false. While the vulnerable API didn't directly return unmasked email addresses, the masked email addresses were unmasked in the exact same way as the phone numbers, as described in my article. The only "enriched" data is the fullName field, as this is deduced from the leaked emailAddress field, but still doesn't require third-party data. MyPup also claims I sent "proof" at some point. I did no such thing; I sent a list of affected user ID's so that MyPup could accurately inform the affected users (which they never did). I never claimed this was the full data set. Because MyPup requires proof, I decided to release a random sample of 1000 user records: [ deleted because MyPup publicly acknowledged full account records were leaked ]

MyPup does not care about your privacy

In July 2025, MyPup's hand-over feature was configured too verbosely, exposing the personally identifiable information of __.___ users. Many of these user accounts were inactive for well over a year and should had already been deleted from MyPup's systems, as their retention violated the company’s own privacy policy and, with that, European law. This means that MyPup was publicly displaying private user information like phone numbers and email addresses of user accounts that the company claimed were already removed from their systems.

Over the months that followed, repeated attempts to prompt full disclosure to affected users were met with slow, inaccurate, and incomplete communication or got ignored entirely. This eventually caused me to create this website, in hopes of MyPup finally taking accountability for their repeated privacy violations and lack of transparency.

I want to give clients of MyPup the chance to have the user account records of their Pick-Up Points removed from the data set before it's publicized. To do so, the client has to permanently terminate their contract with MyPup. If proof of termination is provided, the client's users records will be removed from the data set before being publicized. To provide proof, please contact eelke.rijkens@.

My research went further then this data breach alone. It turns out information security at MyPup is lacking, or non-existent, in many aspects of the company's operations:

Read full article FAQ

Group Tracker

-- Groups / -- Pick-Up Points

FAQ

What if this site goes down?

There are two tor mirrors available:

  1. mypupnlacctbank2v42l4apnspdc4cga3umps5uxqyjrlgdxhplvzzad.onion
  2. mypupxtabs4z4umz3aexj4sxo5g6ookhglbqfuhvu2ifyhuilkq32bqd.onion

These will also be used to announce a new clearnet domain.

Is my account data part of the breached data set?

Send an email to eelke.rijkens@ from the email address associated with your MyPup account, with your MyPup delivery code as the subject.

If your email address / delivery code combo is found in the data set, I will send you your full record. If the email address is not associated with the delivery code, you will only receive a reply stating whether or not the account associated with the delivery code is in the data set.

Can you remove my account from the data set?

Not without your employer / landlord / hoa terminating their contract with MyPup. I know it sucks, but it's to protect users from future privacy violations. However, if you believe your account record being public would put you in direct danger, please send an email from the email address associated with your MyPup account to eelke.rijkens@ and I will see what I can do, but no promises. If you want to be sure that your account record won't be publicized, you should urge the resposible organisation to terminate their contract with MyPup.

You call yourself a privacy activist, so why are you publicizing a data breach?

This is a good question and it was not an easy decision to make.

Initially I tried to get MyPup to transparantly inform their users about the data breach and, maybe more importantly, about retaining account data after the retention period from their own privacy policy expired. After threatening to inform the press, MyPup eventually sent a notification to their users. This notification did not accurately describe the scope of the data breach and did not mention the company's privacy violations at all.

This lack of transparency made me decide to approach the press with my concerns anyway. Initially, the press was very interested in the story, but when it became clear to them that the extracted user records were not actually publicized, their interest faded.

I want MyPup to be held accountable for their disregard of privacy and information security. To me, this weighs heavier than the possible harm caused by publicizing the data set. With making the data set publically available, I hope this matter gets the attention it requires.

Why do you ask MyPup's clients to terminate their contracts?

MyPup has continuously shown a disregard towards information security, their own privacy policy and European privacy law. As such, I no longer believe MyPup is fit to process personally identifiable information, let alone physical lockers associated with their users' home addresses. By asking clients to terminate their contracts, I hope to protect MyPup's current users from yet another privacy violation.

Does MyPup know which users are affected by the data breach?

Initially MyPup did not even know a data breach took place. When I later informed them, they admitted to not having a logging system in place, and that they thus were unable to track which user accounts were compromised. Upon hearing this, I provided MyPup with a complete list of exposed user records, which they ignored.

Can I help?

I don't personally need anything. Please consider donating to one of the following non-profit organizations:

If you would rather donate anonymously, you can send your donation to the bitcoin address below. I will anonymize and forward your donation to the mentioned causes. If you wish for your donation to go to a specific cause, please reach out to eelke.rijkens@.

BTC: bc1qwjtdzhw4mqkgyqeydmzhhm8g5u0r6rx544g6rg