Since February 24th 2026, a website has been published by an individual using the name “Eelke.” This website claims that MyPup does not take responsibility for security and privacy. It also states that, for this reason, information from the 2025 security incident will be made public. ​ We want to be clear that the suggestion that MyPup took no action or lacked transparency is incorrect. Throughout the entire process, we have communicated openly and taken every required step promptly and thoroughly.  feb ​ The data breach happened in 2025 and has been fixed. It is important to emphasize that the details published on this website do not concern a new data breach. All information refers solely to the incident that occurred in 2025. As stated below, we acted immediately implemented extensive measures to prevent incidents of this nature, both then, now and in the future.

No, there is no new data leak. The online report refers to the earlier reported data leak in July 2025. ​ The online report misrepresents the incident in several significant ways: it displays a full user record containing name and email address and other details that were not present in the attacker's own evidence files and are way more detailed than what our system ever returned. The site contains false claims about clients terminating their contracts, and it portrays the situation as ongoing when the underlying vulnerability was patched in July 2025. ​ The online report serves a single purpose: to spread fear among users and customers, damage MyPup commercially, and use our clients and their tenants as leverage.

The site claims we are negotiating: no, we are not in negotiation with the hacker.

The site claims to publish all the data on the dark web by March 9th 2025 at 00:00. When you received an e-mail from us back in 2025 about the data breach, your data is likely be part of this data set. If you did not, you are not part of this data set. However, it could be that the mail was delivered in your spam folder at that time. If you had a MyPup account linked to a Pick Up Point without any restrictions (like a join code or subscription) up until July 28 2025, than it is likely that you are part of this data set. ​ Unfortunately, due to further security measures, we can neither confirm nor deny if your account is part of this data set. This would be a security risk on its own. ​ We have taken legal action to try and prevent the publication of personal data, and we are confident in that process. Publishing personal data without consent is illegal under Dutch and European law. ​ In July 2025, an individual abused a search feature on the MyPup platform to enumerate phone numbers and e-mail addresses of approximately 60,000 user accounts. This search feature returned masked data for names and phone numbers (for example: J****n V****S and +31612****78). ​​ On December 1, 2025, the attacker provided us with an extract of data that was supposed to be evidence of the breach's data. Those files contained phone numbers, delivery codes, hashed account identifiers and pick up point identifiers. Since this did not contain any more personal data than mentioned in the mail, no new communication was needed. ​ On March 3, 2026 the attacker published a partial data dump. This file contained more data than mentioned earlier. Although we cannot be sure that the data was enriched using third party tools in the mean time, we have to assume that the data came from the abused "search neighbor or colleague" feature that was abused in July 2025.

The following personal data belonging to nearly 60,000 MyPup users may have been accessed by the attacker during the July 2025 attack: ​ Contact-related details • Phone number: Accessed • E-mail adres*: Accessed • Name (partial/anonymized): Accessed * However, there are cases that a name can be reconstructed based on the email address and first 3 characters of the delivery code (especially with a short name). Pick up point related details • Pick up point name: Accessed • Pick up point location: Accessed • For office locations: Address or address block • For apartment buildings: Address block or range What is not accessed • Account passwords: Not accessed • Payment information: Not accessed • Parcel information: Not accessed • Full account access: Not accessed ​​ * This is updated on March 3 2026. In July, indications showed that only phone numbers were exposed through a brute‑force enumeration attack. Although there was no evidence of the same method being used to obtain email addresses, the possibility of full, partial, or anonymized addresses being exposed could not be ruled out. For this reason, the impact was described as “(A portion of) Email address(es)” in the email communication. The table above contained an error until 2 March and has since been corrected.

In the original communication we stated that "(A portion of) Email Addresses" were leaked. However in previous communication on this site we only mentioned a partial e-mail address. We were pointed out that this was inconsistent. The table below is now updated to be more consistent. ​ In July, indications showed that only phone numbers were exposed through a brute‑force enumeration attack. Although there was no evidence of the same method being used to obtain email addresses, the possibility of full, partial, or anonymized addresses being exposed could not be ruled out. For this reason, the impact was described as “(A portion of) Email address(es)” in the original email communication (see below).

We have made numerous changes to mitigate the security risks then, now and in the future. First and foremost, the abused "search neighbor or colleague" feature in July 2025 has been fixed immediately upon detection back in July 2025. You can no longer search for partial phone numbers and e-mail addresses. Also, users need to confirm first if they want to be ‘findable’ via this way in the first place. Furthermore we strengthened our firewall, implemented rate-limiting, enabled intrusion detection, and improved alerting and notification systems to detect future breaches. We also increased engagement with a professional external cybersecurity firm. The changes go beyond technical fixes and improvements; they also include how our team operates and handles sensitive requests.

A brute-force enumeration attack was carried out, in which random telephone numbers or email addresses were tested to see which ones existed. You can compare this to trying different combinations on a numerical lock until the correct one is found. We identified the attack on 27 July 2025, immediately closed the vulnerability, and implemented additional security measures.

A portion of the accounts in the leaked dataset belonged to users who, under our own privacy policy, should have had their data deleted. An important nuance here is that not all MyPup accounts are equal in terms of data ownership: depending on how an account was created, the responsibility for managing and deleting that data may lie with MyPup directly, or with the organisation (such as an employer or building operator) that provisioned the account. This affects which accounts are subject to our automated deletion process. For the accounts that are under our direct responsibility, our deletion process was configured to remove only 10 expired accounts per day. This limit was reasonable when we launched back in 2014 but had not been updated to reflect our growth since then. There was absolutely no malicious intent to keep old data. We have since increased this limit and corrected the process. We are sorry this was not addressed sooner. ​​​

When you login to your account, navigate to your contact details and click ‘terminate’. After you’ve received a confirmation link, your account and corresponding details will be removed.

• Please be extra cautious with unexpected emails or SMS messages claiming to come from MyPup. We will never just ask for personal information, passwords, or delivery codes via email or SMS. • It is possible that the attacker may choose to publish the stolen data. Because of the nature of the leaked information, it could also be used to impersonate MyPup. Unfortunately we are not allowed to use the data on the dark web and therefore cannot inform users about if and when data is actually being published. When you have received the notification in November 2025 it is highly likely that the account details is part of a possible (future) publication of stolen data. • You can also check your e-mail address at haveibeenpwned.com (http://haveibeenpwned.com)if it has been part of another data breach. Use common best practices on every account on the internet: • Enable Multi-Factor authentication where possible. • Use strong and unique passwords and use a password manager. • Use secure login methods where possible: Passkeys, third party logins (like Microsoft, Google, Apple login). • Be aware of phishing: If you receive a suspicious message, do not click on any links. Unfortunately it gets more and more common that personal data gets exposed on the internet. As hackers increasingly use AI to target personal data. Always be cautious and alert when going online and receive messages.

A security researcher or ethical hacker reports a vulnerability so it can be fixed. This individual demanded nearly €90.000 in Bitcoin. He fabricated a charity scheme by using the name of Bits of Freedom, an organisation that confirmed they had no involvement. ​ The day after his payment deadline passed, he built infrastructure to sabotage login functionality for MyPup and other customers. He also illegally impersonated MyPup users to gain access to third-party accounts through our Customer Support Department. And now he threatens to publish user records on his website that are more detailed than what our system ever returned, and more detailed than his own evidence files. Finally, he spreads false claims about client terminations to manufacture commercial pressure. ​ These are not the actions of a researcher. This is extortion and it is treated as such by Dutch law enforcement.

Claims about specific clients terminating contracts are false. They are being circulated as part of the pressure campaign to create the impression of a mass exodus. ​ Ending a business relationship does not recover or protect data that has already been accessed. This is not a security measure. The suggestion to terminate contracts comes directly from the extortion campaign and is designed to create commercial pressure on MyPup. We hope that your decision to continue working with us is based on our service quality and transparency, and we are happy to go through both with you in as much detail as you need.

At the end of 2025, a hacker used social engineering techniques to exploit our customer support processes. By impersonating legitimate users, the individual contacted our support team and was able to gain unauthorized access to a small number of third‑party accounts.  ​Since we got  This incident revealed weaknesses in our customer support verification procedures. These weaknesses have since been identified and fully addressed. The affected users were notified and contacted personally on December 2nd, and a report was submitted to the Autoriteit Persoonsgegevens on the same day.

See below the original notification that was sent on November 28, 2025. ​ Important update regarding a security incident at MyPup. ​ In July 2025, a cyber incident occurred within our organisation. As a result, affected users were notified. During an attempt at unauthorised access, data from approximately 60,000 MyPup users was viewed. We deeply regret that this incident took place and understand that it may cause concern. We take the protection of personal data extremely seriously and believe it is important to inform everyone fully and transparently. ​​​ What happened? A brute-force enumeration attack was carried out, in which random telephone numbers or email addresses were tested to see which ones existed. You can compare this to trying different combinations on a numerical lock until the correct one is found. We identified the attack on 27 July 2025, immediately closed the vulnerability, and implemented additional security measures. After this incident, MyPup was informed anonymously that there was an even larger hack of approximately 60.000 users. We then immediately informed all affected accounts on 28 November 2025.   What data was accessed without authorisation? • Telephone number • (Part of) the email address • Pick Up Point name • Part of the name ​​ Important to know: • No access was gained to user accounts. • The incident was identified and stopped on 27 July. • Individuals whose data was accessed were informed at the time. • We immediately reported the incident to the Dutch Data Protection Authority and filed a report with the police. • Since then, we have implemented various security measures, tightened internal processes and further enhanced our security in collaboration with an external cyber-security firm.​ ​ Stay alert Some of the exposed information could potentially be used for phishing or other fraudulent activities. Do you have a MyPup account? Please remain alert to suspicious messages, phone calls or links. MyPup will only email you from the my-pup.com (http://my-pup.com)or mypup.nl (http://mypup.nl)domains. Telephone numbers will never be used to request personal information. If in doubt, always contact us via infosecurity@my-pup.com.(mailto:infosecurity@my-pup.com)   We regret the inconvenience this incident may have caused and are doing everything we can to safeguard privacy and maintain your trust. If you have any questions or concerns, please feel free to contact our security team at infosecurity@my-pup.com(mailto:infosecurity@my-pup.com)