Pet wellness company Petco has taken a portion of its Vetco Clinics website offline after a security lapse exposed reams of customers’ personal information to the open web.
After TechCrunch alerted the company to the exposed data relating to Vetco customers and their pets, Petco confirmed in a statement that it was investigating the data leak at its veterinary services company, and declined to comment further.
The security lapse allowed anyone on the internet to download customer records from Vetco’s website without needing a user’s login information. At least one customer record was exposed and indexed by Google, allowing anyone to find the data by searching for it.
The customer records, seen by TechCrunch, included visit summaries, medical histories, and prescription and vaccination records, among other files relating to Vetco customers and their pets.
The files also contained customer names; their home address, email address, and phone number; the location of the Vetco clinic where the services were performed; medical assessments, tests and diagnoses; and the costs of goods, names of veterinarians, consent forms, owner signatures, and dates of service.
We also found animal names, species and breed, their sex, age and date of birth, their microchip number (if registered), their medical vitals, and prescription records in the files.
TechCrunch alerted Petco to the security lapse on Friday after discovering the vulnerability. The company acknowledged the data exposure days later on the following Tuesday after TechCrunch followed-up by attaching several exposed customer files to our email.
Petco spokesperson Ventura Olvera told TechCrunch late on Tuesday that the company has “implemented, and will continue to implement, additional measures to further strengthen the security of our systems,” though the company did not provide evidence for the claim.
Olvera would not say if the company has the technical means, such as logs, to determine if any data was extracted from the company’s systems during the course of the data spill.
How TechCrunch found the data spill
TechCrunch identified a vulnerability in how Vetco’s website generates copies of PDF documents for its customers.
Vetco’s customer portal, located at petpass.com, allows customers to log in and obtain veterinary records and other documents relating to their pet’s care. But TechCrunch found that the PDF generating page on Vetco’s website was public, and not protected with a password.
As such, it was possible for anyone on the internet to access sensitive customer files directly from Vetco’s servers by modifying the web address to input a customer’s unique identification number. Vetco customer numbers are sequential, which means one could access other customers’ data simply by changing a customer number by one or two digits.
TechCrunch checked at intervals of 100,000 customers to determine how many records may have been exposed in total. The sequential customer numbers suggest that millions of Petco customers’ information could have been retrieved.
The bug is classed as an insecure direct object reference (or IDOR), a common lapse in security practices that allows unfettered access to files on a server because there aren’t proper checks in place to make sure the person accessing the data is permitted to.
It’s not clear how long these customer records have been left exposed, but the customer record listed on Google was dated mid-2020.
Third Petco breach this year
By TechCrunch’s count, this is Petco’s third data breach in 2025.
Earlier this year, hackers associated with the Scattered Lapsus$ Hunters hacking collective allegedly stole reams of data from a database of customer information that Petco hosts with cloud giant Salesforce. The hackers demanded victim companies pay a ransom to not have their information leaked.
In September, Petco disclosed a second data breach involving a security issue that the company said it discovered on its own. Petco blamed the data leak on “a setting within one of our software applications that inadvertently allowed certain files to be accessible online,” but did not provide specific details of the incident.
That data breach included sensitive customer information, such as Social Security numbers, driver’s licenses, and financial information, including debit and credit card numbers.
Olvera declined to say how many people are affected by the September incident, but California law requires companies to disclose data breaches publicly when the number of victims in the state crosses 500 people.
TechCrunch believes this latest data leak involving Vetco is a separate security incident, given that Petco began notifying its customers of the previous data leak several months ago.
