Update on July 2025 data leak
Updated on: March 18, 2026.
This morning, MyPup was again contacted by the attacker responsible for the previous security incident. At 08:00 this morning (18 March 2026), the attacker informed us of their intention to contact all affected users directly, with false accusations regarding MyPup and a demand for payment to delete the leaked data. We have been informed that this will happen on Monday, 23 March 2026.
We would like to emphasise that this is a new extortion attempt, which we have already reported to the police. The attacker’s communication is unlawful, misleading, and factually incorrect. All affected users and customers have already been fully and officially informed, and the incident has been reported to the relevant authorities.
The attacker has claimed, among other things:
-
That MyPup has violated GDPR articles;
-
That users are entitled to claim compensation;
-
That he will ask users to donate €25 to UNHCR to have their data deleted;
-
That MyPup must pay in Bitcoin to prevent further publication.
-
These claims are false and are designed solely to exert pressure on MyPup.
MyPup would like to remind users to exercise caution when dealing with emails and phone calls, and users should follow the following warnings:
-
Do not click on any links (that are unexpected or from unknown sources);
-
Do not open any attachments;
-
Do not respond to emails that may have originated from this attacker[JH1] .
The communication of the attacker is not trustworthy and should be ignored to avoid malicious acts. If you wish to read more about how the attack unfolded and gain an overview, please refer to the full timeline of events below.
Update on July 2025 data leak
Updated on: March 3, 2026.
Dear MyPup user and Customer,
We have an update regarding the data leak of July 2025. We regret to inform you that we have now received confirmed evidence that the following information was leaked for nearly 60,000 MyPup users:
Contact-related details
-
Email address: Accessed
-
Telephone number: Accessed
-
(Partial) name: Accessed
However, there are cases that a name can be reconstructed based on the email address and first 3 characters of the delivery code (especially with a short name).
Pick up point related details
-
Name of the pick-up point: Accessed
-
Location of the pick-up point locker: Accessed
-
For office locations: Address or address block
-
For apartment buildings: Address block or range
-
-
Delivery code: Accessed
Used for delivery of parcels via MyPup
What is not accessed
-
Account passwords: Not accessed
-
Payment information: Not accessed
-
Parcel information: Not accessed
-
Full account access: Not accessed
Please be aware
It is possible that the attacker may choose to publish the stolen data. Because of the nature of the leaked information, it could also be used to impersonate MyPup.
Please be extra cautious with unexpected emails or SMS messages claiming to come from MyPup. We will never just ask for personal information, passwords, or delivery codes via email or SMS.
If you receive a suspicious message, please do not click on any links and contact us directly through our official channels.
We sincerely apologize for the inconvenience and concern this may cause.
Below you can find an FAQ regarding this issue.
Team MyPup | My Pick Up Point