Pet wellness company Petco has taken portions of its Vetco Clinics website offline after a security flaw exposed large amounts of customers' personal information to the open web.
After TechCrunch alerted the company that data about Vetco customers and their pets had been compromised, Petco confirmed in a statement that it was investigating the data breach at its veterinary services company and declined further comment.
This security lapse allowed anyone on the Internet to download customer records from Vetco's website without requiring the user's login information. At least one customer record has been published and indexed by Google, allowing anyone to search and find the data.
The customer records reviewed by TechCrunch included visit summaries, medical histories, prescription and vaccination records, among other files related to Vetco customers and their pets.
The file also contained customer names. Home address, email address, and phone number. Vetco clinic location where service was performed. Medical evaluation, testing, and diagnosis. Product price, veterinarian's name, consent form, owner's signature, date of service.
Records of the animal's name, species and breed, sex, age and date of birth, microchip number (if registered), medical vitals and prescriptions were also found in the file.
TechCrunch alerted Petco about the security flaw on Friday after discovering the vulnerability. The company acknowledged the data breach a few days later, the following Tuesday, after TechCrunch followed up with some of the leaked customer files attached to our emails.
Petco spokesperson Ventura Olvera told TechCrunch late Tuesday that the company has “implemented and will continue to implement additional measures to further strengthen the security of our systems,” but the company did not provide evidence for that claim.
Olvera declined to say whether the company has logs or other technical means to determine whether any data was extracted from its systems during the data breach.
How TechCrunch discovered the data breach
TechCrunch identified a vulnerability in the way Vetco's website generates copies of PDF documents for customers.
Vetco's customer portal at petpass.com allows customers to log in and retrieve veterinary records and other documentation regarding their pet's care. However, TechCrunch discovered that the PDF generation page on Vetco's website is public and not password protected.
This allowed anyone on the Internet to access a customer's confidential files directly from Vetco's servers by changing the web address and entering the customer's unique identification number. Vetco customer numbers are sequential, so you can access other customers' data by simply changing one or two digits in your customer number.
TechCrunch investigated each of 100,000 customers to determine how many records may have been compromised in total. Sequential customer numbers suggest that information for millions of Petco customers may have been obtained.
This bug is classified as Insecure Direct Object Reference (IDOR). This is a common flaw in security practices that allows unrestricted access to files on a server because there are no proper checks in place to confirm whether access to the data is authorized.
It's unclear how long these customer records remained public, but the customer records listed on Google dated from mid-2020.
Third Petco breach this year
This is Petco's third data breach in 2025, as counted by TechCrunch.
Earlier this year, hackers associated with the hacking group Scattered Lapsus$ Hunters allegedly stole large amounts of data from a database of customer information hosted by Petco in conjunction with cloud giant Salesforce. The hackers demanded that the victim companies pay a ransom to prevent the information from being leaked.
In September, Petco disclosed a second data breach related to security issues, which the company said it discovered independently. Petco blamed the data breach on “configurations in our software applications that inadvertently allowed access to certain files online,” but did not provide specific details of the incident.
The data breach included sensitive customer information such as Social Security numbers, driver's licenses, and financial information such as debit and credit card numbers.
Olvera declined to say how many people were affected by the September incident, but California law requires companies to publicly disclose data breaches if the number of victims in the state exceeds 500.
TechCrunch believes this data breach involving Vetco is another security incident, considering that Petco began notifying customers about a previous data breach several months ago.