Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Pet care company Petco has taken part of its Vetco Clinics website offline after a security flaw exposed large amounts of customers’ personal information on the open web.
After TechCrunch alerted the company to exposed data related to Vetco customers and their pets, Petco confirmed in a statement that it was investigating the data leak at its veterinary services company, and declined to comment further.
The vulnerability allowed anyone on the Internet to download customer records from Vetco’s website without requiring the user’s login information. At least one customer record has been exposed and indexed by Google, allowing anyone to find the data by searching for it.
The customer records, viewed by TechCrunch, included visit summaries, medical histories, prescription records, and vaccinations, among other files related to Vetco customers and their pets.
The files also contain customer names; Their home address, email address and phone number; The location of the Fitco clinic where services are provided; Medical assessments, tests and diagnoses; Costs of merchandise, names of veterinarians, consent forms, owner signatures, and dates of service.
We also found the animals’ names, species, breeds, sex, age, date of birth, microchip number (if registered), medical biodata and prescription records in the files.
TechCrunch alerted Petco to the vulnerability on Friday after discovering the vulnerability. The company acknowledged the data exposure days later on the following Tuesday after TechCrunch followed up by attaching several exposed customer files to our email.
Petco spokesperson Ventura Olvera told TechCrunch late Tuesday that the company “has implemented, and will continue to implement, additional measures to further enhance the security of our systems,” though the company did not provide evidence for that claim.
Olvera did not clarify whether the company had the technical means, such as logs, to determine whether any data had been extracted from the company’s systems during the data leak.
How TechCrunch found the data leak
TechCrunch has identified a vulnerability in how Vetco’s website creates copies of PDF documents for its customers.
Vetco Customer Portal, located at petpass.comallows customers to log in and access veterinary records and other documents related to their pets’ care. But TechCrunch found that the PDF creation page on Vetco’s website was public and not password-protected.
As such, it was possible for anyone on the Internet to access sensitive customer files directly from Vetco’s servers by modifying the web address to enter the customer’s unique identification number. Vetco customer numbers are serial numbers, which means one can access other customers’ data simply by changing the customer number by one or two digits.
TechCrunch scanned 100,000 customers at intervals to determine how many records may have been exposed in total. Customer serial numbers indicate that millions of Petco customer information could be retrieved.
The error is rated as Unsafe direct object reference (or IDOR), a common flaw in security practices that allows unrestricted access to files on a server because there are no proper checks in place to ensure the person accessing the data is allowed to do so.
It’s not clear how long these customer records have been exposed, but the customer history listed on Google dates back to mid-2020.
Petco’s third hack this year
By TechCrunch’s count, this is Petco’s third data breach in 2025.
Earlier this year, hackers were linked to the Scattered Lapsus$ Hunters hacking group He allegedly stole large amounts of data From a customer information database that Petco hosts with cloud giant Salesforce. The hackers demanded that the victim companies pay a ransom so that their information would not be leaked.
In September, Petco Revealed the second data breach It relates to a security issue that the company said it discovered itself. Petco blamed the data leak on “a setting within one of our software applications that inadvertently allowed access to certain files over the Internet,” but did not provide specific details about the incident.
Which The data breach involved sensitive customer informationsuch as Social Security numbers, driver’s licenses, and financial information, including debit and credit card numbers.
Olvera declined to say how many people were affected by the September incident, but California law requires companies to publicly disclose data breaches when the number of victims in the state exceeds 500 people.
TechCrunch believes the recent data leak involving Vetco is an isolated security incident, given that Petco began notifying its customers of the previous data leak several months ago.