Pet wellness company Petco has taken part of its Vetco Clinics website offline after a security breach exposed troves of personal customer information to the open web.
After TechCrunch alerted the company to the exposed data related to Vetco customers and their pets, Petco confirmed in a statement that it was investigating the data breach at its veterinary services company and declined to comment further.
The security flaw allowed anyone on the Internet to download customer files from Vetco’s website without needing a user’s login information. At least one customer file was exposed and indexed by Google, allowing anyone to find the data by searching for it.
The customer records, seen by TechCrunch, included visit summaries, medical histories, and prescription and vaccination records, among other records related to Vetco customers and their pets.
The files also contained customer names. their home address, email address, and phone number; the location of the Vetco clinic where the services were performed; medical evaluations, tests, and diagnoses; and the cost of goods, names of veterinarians, consent forms, owner signatures, and dates of services.
We also found animal names, species and breed, their sex, age and date of birth, their microchip number (if registered), their medical information and prescription records in the records.
TechCrunch notified Petco of the security flaw on Friday after discovering the vulnerability. The company acknowledged the data exposure days later the following Tuesday after TechCrunch followed up by attaching several exposed customer files to our email.
Petco spokesman Ventura Olvera told TechCrunch late Tuesday that the company “has implemented and will continue to implement additional measures to further strengthen the security of our systems,” though the company did not provide evidence for the claim.
Olvera would not say whether the company has the technical means, such as logs, to determine whether data was extracted from the company’s systems during the data breach.
How TechCrunch found the data breach
TechCrunch found a vulnerability in the way Vetco’s website creates copies of PDF documents for its customers.
Vetco’s customer portal, located at petpass.comallows customers to log in and obtain veterinary records and other documents related to their pet’s care. But TechCrunch found that the PDF creation page on Vetco’s website was public and not password protected.
Therefore, it was possible for anyone on the Internet to access sensitive customer records directly from Vetco’s servers by modifying the web address to enter a customer’s unique identification number. Vetco’s customer numbers are sequential, meaning someone could access other customers’ data just by changing a customer number by a digit or two.
TechCrunch checked at intervals of 100,000 customers to determine how many records may have been exposed in total. The back-to-back customer numbers suggest that millions of Petco customer information could have been recovered.
The bug is classified as an insecure direct object reference (or IDOR), a common flaw in security practices that allows unrestricted access to files on a server because there aren’t proper checks in place to make sure the person accessing the data is allowed.
It’s unclear how long these customer files have been exposed, but the customer file cited by Google dates back to mid-2020.
Third Petco breach this year
By TechCrunch’s count, this is Petco’s third data breach of 2025.
Earlier this year, hackers associated with the hacking collective Scattered Lapsus$ Hunters allegedly stole reams of data from a database of customer information that Petco hosts with cloud giant Salesforce. The hackers demanded that the victim companies pay a ransom in order not to leak their information.
In September, Petco disclosed a second data breach involving a security issue the company said it discovered on its own. Petco blamed the data leak on “a setting in one of our software applications that inadvertently allowed certain files to be accessible online,” but did not provide specific details about the incident.
This data breach included sensitive customer information such as social security numbers, driver’s licenses and financial information including debit and credit card numbers.
Olvera declined to say how many people are affected by the September incident, but California law requires companies to publicly disclose data breaches when the number of victims in the state exceeds 500 people.
TechCrunch believes this latest data breach involving Vetco is a separate security incident, given that Petco began notifying its customers of the previous data breach several months ago.
