Back

Information Security & Privacy Protection at MyPup

In July 2025, a data breach occurred at the Amsterdam-based parcel delivery company MyPup, in which the PII of approximately 60 thousand users was leaked via a poorly configured public API. The leaked user records showed that MyPup had illegally stored personally identifiable information of their users. My investigation shows that MyPup is trying to sweep their privacy violations under the rug, and that the company has structural shortcomings in its information security and privacy protection. MyPup is in structural and multiple violation of European privacy law. With this article, I hope to provide users with complete and transparent information about what happened to their data and what MyPup is trying to hide.

MyPup is a company that accepts packages on behalf of its users and then leaves them in a parcel locker within apartment complexes, offices, and other so-called “Pick up Points.” Until recently, I was also a user myself. In early July, out of boredom, I clicked through the app and came across the “Hand Over” feature. This allows users to leave packages directly in a parcel locker for another MyPup user to later pick up. To select who you want to transfer a package to, you can search by email address, phone number, delivery code, or name. The website then provides a list of matching users in the following format:

{
  "userId": "24ade0ae5cba4ebcad99d2eb39f5f189",
  "userName": “pi********en@gma*****”,
  "fullName": “P****r Kl****en”,
  "emailAddress": “pi********en@gma*****”,
  "phoneNumber": “+31612****78”,
  "mailCodePrefix": "MYPUP",
  "mailCodeAccount": “PIEMY EHJNCH”,
  "mainPupName": "MyPup HQ",
  "mainPupUid": "f954b7265c88468ab0909bf9e28a2165"
}

A Publicly Accessible User Database

Although some fields were partially masked, I was very shocked by this. The hand-over feature was publicly accesible, which means that anyone could see my user record linked to my home address. I was under the assumption that my data could only be viewed by MyPup and was not aware that my personal information was publically displayed. I decided to test whether the data could be fully de-anonymized.

When I searched for +31612345678, the above user record appeared in the search results. When I shortened the search to +3161234567, the same user remained visible, while a different number (e.g., +3161234561) yielded no results. This showed that the search function did not check for the masked display, but for the full underlying phone number. As long as the entered string matched the beginning of the real number the user record was returned. Even a search for +316 was sufficient to return the user record above.

This allowed a phone number to be reconstructed iteratively: a maximum of nine searches per position were needed to determine the correct digit, as only one digit returned the user record. Because usually only four digits were masked, a complete phone number could be retrieved within just a few API calls.

Email addresses could be reconstructed in a similar way. The first three letters of the unmasked mailCodeAccount field are always the same as the first three letters of the email address. In combination with the unmasked parts of the fullName field and the emailAddress field, this left only a limited number of possible combinations. This made it relatively easy to also iteratively deduce email addresses and, in most cases, the user's full name, giving a full user record.

To collect all users of a Pick Up Point, it turned out that a limitation in the search function could be circumvented: although a search term of less than three characters was not accepted, the search term “a--” returned all user records with delivery codes beginning with the letter “a” By repeating this for the entire alphabet, a complete user list could be compiled and then de-anonymized. I was able to repeat this for all 438 Pick Up Points.

Unrestricted Record Extraction

I wanted to inform MyPup of this vulnerability. Although MyPup has a bug bounty program, the rewards are so low (now even lower than in 2023) that it was not worth my while to write a detailed report. Therefore, on July 7, 2025, I decided to read out the data of all users in a very loud and unsophisticated manner. The idea was that MyPup's intrusion detection systems would notice this and the company would thus still be notified of this vulnerability. However, when the “attack” was still running after 24 hours of continuous reading, my own alarm bells went off. Apparently, MyPup has no system to detect intrusions or abnormalities. In the end, it took 37 hours and 438 dummy accounts to read the data of 59,066 users.

After that, I was too busy to deal with MyPup for a few weeks and assumed that at some point they would go through the logs and see that they had been hacked. On July 26, I went through the extracted data again and noticed that some of the phone numbers were missing. It turned out that for longer phone numbers, four * characters actually represented five or more digits, such that one * character per digit was no longer used. I adjusted my Python script accordingly and ran it again to read the last few thousand user records. Apparently, this was noticed (by chance?). A few days later, the search functionality was changed so that you could no longer search by phone number. However, email addresses and full names could still be publicly read.

A leak like this should never have happened. While reading the data, I didn't encounter any obstacles. I created approximately 500 MyPup accounts from a single IP address, which I then used to send millions of HTTP requests to a single endpoint from that same IP address. There wasn't any kind of rate limiting in place, and since no alerts had been set up at MyPup, data extraction could continue indefinitely. What makes this vulnerability different from others is that it is not a bug or accident. MyPup deliberately chose to make every user publicly findable with very limited data masking in order to make it easy for other users to select the correct recipient. In doing so, perceived usability, and thus indirectly profit, was given priority over user protection. MyPup did not consider the risks this posed to its users, or, more likely, decided to ignore them. What makes this particularly serious is that most Pick Up Points are located in the apartment complexes where the users live, meaning that the leaked user records can be linked to home addresses.

Illegal User Data Retention

These serious shortcomings regarding the protection of MyPup’s users prompted me to conduct further research into information security and privacy protection within the company. As a logical first step, I decided to review MyPup's privacy statement. Although it states that it was last updated in December 2021, the Wayback Machine shows that several significant changes and additions have been made since then. For example, between March 16, 2025, and April 17, 2025, a clause was added about data retention after manual account deletion. It is mandatory to notify users of such changes and while MyPup states in its privacy statement that it will do so, in practice they make silent changes to the privacy statement. Despite the fact that the Dutch and English versions of the privacy statement are not identical in content, both state that user accounts will be deleted after 12 months and 30 days of inactivity. However, much of the personal data leaked in July belongs to accounts that have been inactive for years. This means that many of the leaked user records were illegally stored in MyPup's systems and publicly available for anyone to download.

Delayed Disclosure

When a data breach occurs, a company has the legal obligation to report this to the affected users as soon as possible so that they can protect themselves against misuse of the leaked data. Since my personal MyPup account was among the leaked user records, I should have received this notification myself. When I had not yet received any kind of notification about the breach by October 13, 2025, I decided to share my concerns with MyPup. That day, I sent an email to MyPup's general email address. After sending a reminder, I received an email from CTO Dennis van den Berg on October 16. He confirmed that an incident had occurred and, to my surprise, reported that the affected users had been notified. I then asked for further information. No substantive response was given to these questions. I received no response at all to my last email of October 16. On November 17, I again expressed my concerns about the inadequate information security and privacy violations. I mentioned that I intended to publish an article about these issues. Three days later, I received an invitation to discuss this incident at the MyPup office. To protect my privacy, I indicated on the same day that I had to decline the invitation, but that I appreciated MyPup's willingness to engage in dialogue, requesting that the conversation continues by email. I sent a list of several new questions. This email was again ignored. On November 27, I indicated that I resented being ignored again and that I intended to inform the affected users about the possibility of claiming compensation for MyPup's negligence. The next day, MyPup sent all its users a notification about the leak. This notification stated that the phone numbers of 92 users had been leaked, but that MyPup could not say with certainty that no other users had been affected.

Misleading Communication

The notification sent significantly downplays the scale and severity of the leak. For example, MyPup incorrectly claims that no full names were leaked. Most remarkably, however, MyPup claims that it has only been able to identify 92 users whose data was accessed. This is less than 0.16% of the actual number of affected users. This suggests that MyPup does not keep basic log files, which is incomprehensible. A few minutes after this notification, I received an email from Dennis stating that he believes the incident has now been properly handled. He indicates that he has taken the following steps:

From Dennis van den Berg | MyPup Parzelo <dennisvandenberg@mypup.nl>

Subject Re: Question about security incident july

... - We immediately shut down the unsafe functionality. - We have improved and expanded our firewall, rate limiting, signaling, and notifications. - We have further tightened the functionality for automatically deleting accounts. - We have entered into a partnership with a professional cybersecurity agency. ...

MyPup confirms that the search functionality was indeed set up unsafely, that there were insufficient systems in place to detect and block intrusions, and that the company systematically non-compliant with its own privacy statement by unlawfully storing personal user data after the legal retention period.

Because I wanted MyPup to properly inform all affected users, on December 1, 2025, I sent Dennis the entire list of affected users, with the idea that he could now also inform the remaining 99.84% of affected users with certainty about the unauthorized extraction of their personal data. Because it is required by law and because MyPup itself claims in its previous notification that they find it important to keep users fully and transparently informed, I assumed a notification would be sent out promptly.

It is now February 20, 2026, and despite multiple reminders, MyPup has not yet informed over 99% of the affected users about the unauthorized extraction of their personally identifiable information and none of its users about the company's violations of its privacy statement and the unlawful retention of user data.

Account Takeovers via Customer Support

Because I believe that information security and privacy protection are not part of the company culture at MyPup, I decided to test whether customer service would give me access to the account of a random user. My test subject was the following Booking.com employee based in Amsterdam:

{
  "userId": "66b47fb416e249d2bc6b54d4e4498dea",
  "userName": “luigi.bisogno@booking.com”,
  "fullName": "Luigi Bisogno",
  "emailAddress": “luigi.bisogno@booking.com”,
  "phoneNumber": [redacted for privacy],
  "mailCodePrefix": "MYPUP",
  "mailCodeAccount": "LUITH ZHARGR",
  "mainPupName": "Booking.com ODE AMS 20",
  "mainPupUid": "c9a19b8b2e0d49ddbcd0475d9492c093"
}

I decided to only use the fullName, emailAddress, and mailCodeAccount fields, since the email address can be publicly found anyway and the delivery code was never masked to begin with. Based on this information, I created the email address “l.e.bisogno@hotmail.com”. From which I sent the following email to info@my-pup.com:

From Luigi Bisogno <l.e.bisogno@hotmail.com>

To info@my-pup.com

Subject Email change

Dear Mypup support, I am no longer employed with Booking.com and thus can't access my old email address luigi.bisogno@booking.com anymore, so now I can't log in to my Mypup account. Could you please change my account to my personal email address: l.e.bisogno@hotmail.com? My address code is MYPUP LUITH ZHARGR. Thank you in advance. Best Regards, Luigi Bisogno

After 15 hours I received the following response:

From Romaissa | MyPup, My Pick Up Point <info@mypup.nl>

To Luigi Bisogno <l.e.bisogno@hotmail.com>

Subject Re: Email change

Dear Luigi, Thank you for your message. I have just updated your email in our system. You should now be able to log in using your personal email. Met vriendelijke groet/ kind regards, Conway MyPup | My Pick Up Point

After this, I was able to request a new password for Luigi's account via mypup.app, which was then sent to l.e.bisogno@hotmail.com instead of luigi.bisogno@booking.com. This gave me full access to Luigi's account. I could view all account details, package history, and customs payments. In addition, if I would have wanted to, I could now have retrieved Luigi's packages from his locker or have the packages sent to another Pick Up Point altogether.

Because this was a little too easy, I decided to see if just a first name and delivery code would also be enough to gain access to any arbitrary user account. For this, I chose the following residential record from Utrecht:

{
  "userId": "7e0b1399ee4a454ea4933893c4f55ada",
  "userName": [redacted for privacy],
  "fullName": "Hannah [redacted for privacy]",
  "emailAddress": [redacted for privacy],
  "phoneNumber": "+49... [redacted for privacy],
  "mailCodePrefix": "MYPUP",
  "mailCodeAccount": "HANLI YSGKTK",
  "mainPupName": "Limapad 2",
  "mainPupUid": "14986593aa79408eb9b7c15c11ae77b4"
}

I created the email address “hannahsiee03@hotmail.com” and in my best German I sent the following email from this newly created email address:

From Hannah S. <hannahsiee03@hotmail.com>

To info@my-pup.com

Subject Anmeldung Problem

Hallo, ich versuche, mich bei meinem Konto HANLI YSGKTK unter Limapad in Utrecht anzumelden, habe aber vergessen, welche E-Mail-Adresse ich bei der Registrierung verwendet habe. Können Sie mir bitte helfen? Mit freundlichen Grüßen, Hannah

Once again, MyPup had no problem sharing personal user information with me:

From Olivier | MyPup, My Pick Up Point <info@mypup.nl>

To Hannah S. <hannahsiee03@hotmail.com>

Subject Re: Anmeldung Problem

Dear Hannah, You used: [redacted for privacy]@icloud.com Met vriendelijke groet/ kind regards, Olivier MyPup | My Pick Up Point

After MyPup shared Hannah's full name and email address, I sent the following email:

From Hannah S. <hannahsiee03@hotmail.com>

To Olivier | MyPup, My Pick Up Point <info@mypup.nl>

Subject Re: Anmeldung Problem

Hello Olivier, Thank you for looking that up for me. I was afraid it would be my icloud email address as I no longer have access to my Apple account. Is it possible for you to change my account to have the email address I am sending this email from or would I have to create a new account? Sincerely, Hannah [redacted for privacy]

After which MyPup again provided me with full access to the account:

From Olivier | MyPup, My Pick Up Point <info@mypup.nl>

To Hannah S. <hannahsiee03@hotmail.com>

Subject Re: Anmeldung Problem

Dear Hannah, I just changed it to your new email adress and you should be able to login with this account. Met vriendelijke groet/ kind regards, Olivier MyPup | My Pick Up Point

This means that with nothing more than a public delivery code and a first name, I was able to gain full access to the account of any arbitrary MyPup user. What makes this even more concerning is that this test subject is a young student in a residential building. By granting access to her account, MyPup also grants access to all her personal data, including her home address. This confirms my hypothesis that, despite many promises, information security and privacy protection are not a priority at MyPup and are not part of the company culture.

Questionable Information Security Certification

On April 28, 2025, MyPup obtained ISO/IEC 27001:2022 certification for its information security management system. This is an international standard that guarantees that an organization has taken the appropriate measures to protect the confidentiality, integrity, and availability of its information against risks and threats. MyPup's certification was issued by the Indian certification organization TNV Certification Pvt. Ltd. (isoindia.org). I believe that this certification was issued incorrectly. In order to comply with the standard, an organization must show they implement a number of reference controls. These are clearly defined in Annex A of the ISO/IEC 27001:2022 standard document. Based on my findings, I strongly believe that MyPup has not sufficiently implemented many of the required controls, and has therefore been wrongfully awarded certification.

The fact that personal user information was publicly accessible indicates, for example, insufficient implementation of measures A.1.5.33 (Protection of records) and A.1.5.34 (Privacy and protection of personally identifiable information). The fact that this could be exploited indicates insufficient implementation of A.1.8.3 (Information access restriction), A.1.8.9 (Configuration management), A.1.8.11 (Data masking), and A.1.8.12 (Data leakage prevention). The fact that the leaked dataset contains records from accounts that, according to the privacy statement, should already have been deleted indicates insufficient implementation of A.1.8.10 (Information deletion). The fact that MyPup only noticed the breach three weeks after it took place indicates insufficient implementation of A.1.8.16 (Monitoring activities). The fact that MyPup was unable to identify the affected users indicates insufficient implementation of A.1.8.15 (Logging). The fact that MyPup has not yet definitively informed the affected users, despite now knowing who they are, indicates insufficient implementation of A.1.5.26 (Response to information security incidents) and A.1.5.31 (Legal, statutory, regulatory and contractual requirements). The fact that MyPup's employees provide personal user details and account access to whomever asks indicates insufficient implementation of A.1.6.3 (Information security awareness, education and training).

It is important to stress that these are only the controls I was able to verify based on observable behavior and available evidence. I have no way of assessing whether many of the other required controls have actually been implemented within MyPup at all.