Pet wellness company Petco has taken a portion of its Vetco Clinics website offline following a security lapse that exposed customers’ personal information on the open web. After TechCrunch alerted the company to the exposed data relating to Vetco customers and their pets, Petco confirmed it was investigating the leak at its veterinary services company and declined to comment further.
The security lapse allowed anyone on the internet to download customer records from Vetco’s website without needing login information. At least one customer record was exposed and indexed by Google, making it publicly searchable.
The exposed customer records included visit summaries, medical histories, and prescription and vaccination records. The files contained customer names, home addresses, email addresses, phone numbers, and the location of the Vetco clinic where services were performed. They also included medical assessments, tests, diagnoses, costs of goods, names of veterinarians, consent forms, owner signatures, and dates of service.
The records further contained animal names, species, breed, sex, age, date of birth, microchip numbers, medical vitals, and prescription records.
TechCrunch alerted Petco to the security lapse on a Friday after discovering the vulnerability. The company acknowledged the data exposure the following Tuesday after TechCrunch followed up by attaching several exposed customer files to an email.
Petco spokesperson Ventura Olvera stated that the company has implemented, and will continue to implement, additional measures to further strengthen the security of its systems. The company did not provide evidence for this claim. Olvera would not say if the company has the technical means to determine if any data was extracted during the course of the data spill.
TechCrunch identified a vulnerability in how Vetco’s website generates copies of PDF documents for its customers. Vetco’s customer portal allows customers to log in and obtain veterinary records. However, the PDF generating page on the website was public and not password protected.
This allowed anyone on the internet to access sensitive customer files directly from Vetco’s servers by modifying the web address to input a customer’s unique identification number. Since Vetco customer numbers are sequential, it was possible to access other customers’ data by changing the customer number by one or two digits. Checks at intervals suggest that millions of Petco customers’ information could have been retrieved.
This bug is classed as an insecure direct object reference, a common security lapse that allows unfettered access to files on a server due to improper access checks. It is not clear how long these records were exposed, but one customer record listed on Google was dated mid-2020.
By TechCrunch’s count, this is Petco’s third data breach in 2025. Earlier this year, hackers allegedly stole data from a customer information database that Petco hosts with cloud giant Salesforce. In September, Petco disclosed a second data breach involving a security issue the company said it discovered on its own, which exposed sensitive customer information including Social Security numbers and financial data.
Olvera declined to say how many people were affected by the September incident. TechCrunch believes this latest data leak involving Vetco is a separate security incident, as Petco began notifying customers of the previous data leak several months ago.