Petco has taken a section of its Vetco Clinics website offline following a significant security lapse that exposed millions of customers' personal information and their pets' medical histories to the public internet. The vulnerability was discovered and reported by TechCrunch.

The security flaw allowed anyone to download sensitive customer records directly from Vetco's website without requiring login credentials. TechCrunch confirmed that at least one customer record was indexed by Google, making it publicly searchable. The exposed data was extensive, including customer names, home addresses, email addresses, phone numbers, and detailed pet medical histories.

The compromised records, reviewed by TechCrunch, contained a wealth of sensitive information. For pet owners, this included names, home addresses, email addresses, phone numbers, and even owner signatures on consent forms. For pets, the data encompassed names, species, breed, sex, age, date of birth, microchip numbers, medical vitals, visit summaries, detailed medical histories, diagnoses, prescription and vaccination records, and the costs of services rendered at Vetco clinics.

TechCrunch first alerted Petco to the vulnerability on a Friday. Petco acknowledged the data exposure several days later, on the following Tuesday, only after TechCrunch provided concrete evidence by attaching exposed customer files in a follow-up email. Petco spokesperson Ventura Olvera stated that the company has "implemented, and will continue to implement, additional measures to further strengthen the security of our systems," but offered no evidence to support this claim. Olvera also declined to confirm whether Petco possesses the technical capabilities, such as system logs, to ascertain if any data was extracted during the breach.

How the Data Spill Occurred

TechCrunch identified an Insecure Direct Object Reference (IDOR) vulnerability within Vetco's website, specifically how it generated PDF documents for customers. The customer portal, found at petpass.com, allowed logged-in users to access their pet's veterinary records. However, the PDF generation page itself was publicly accessible and lacked password protection.

This critical flaw meant that by simply altering a customer's unique identification number in the web address, anyone could directly access sensitive files from Vetco's servers. Since Vetco's customer numbers were sequential, it was possible to systematically browse and download records for potentially millions of other customers by incrementally changing digits. IDORs are a common security oversight where systems fail to verify if a user is authorized to access specific data, leading to unauthorized access.

It remains unclear how long these records were exposed, but at least one customer record found on Google was dated mid-2020, suggesting a prolonged vulnerability.

Third Data Breach for Petco This Year

This latest incident marks Petco's third reported data breach in 2025, according to TechCrunch. Earlier in the year, the Scattered Lapsus$ Hunters hacking collective allegedly stole a vast amount of customer data from a Petco database hosted by Salesforce, demanding ransom from affected companies.

In September, Petco disclosed a second security lapse, which it claimed to have discovered internally. The company attributed this breach to "a setting within one of our software applications that inadvertently allowed certain files to be accessible online," though specific details were withheld. That particular breach was highly sensitive, compromising customer Social Security numbers, driver's licenses, and financial information, including debit and credit card numbers.

While Petco spokesperson Olvera did not specify the number of individuals affected by the September incident, California law mandates public disclosure for breaches impacting over 500 state residents. TechCrunch believes the current Vetco data leak is a distinct security event, separate from the previous incidents, given the timeline of customer notifications for the earlier breaches.