Petco takes down Vetco website after exposing customers’ personal information

Pet wellness company Petco has taken a portion of its Vetco Clinics website offline after a security lapse exposed reams of customers’ personal information to the open web. After TechCrunch alerted the company to the exposed data relating to Vetco customers and their pets, Petco confirmed in a statement that it was investigating the data leak at its veterinary services company, and declined to comment further. The security lapse allowed anyone on the internet to download customer records from Vetco’s website without needing a user’s login information. At least one customer record was exposed and indexed by Google, allowing anyone to find the data by searching for it. The customer records, seen by TechCrunch, included visit summaries, medical histories, and prescription and vaccination records, among other files relating to Vetco customers and their pets. The files also contained customer names; their home address, email address, and phone number; the location of the Vetco clinic where the services were performed; medical assessments, tests and diagnoses; and the costs of goods, names of veterinarians, consent forms, owner signatures, and dates of service. We also found animal names, species and breed, their sex, age and date of birth, their microchip number (if registered), their medical vitals, and prescription records in the files. TechCrunch alerted Petco to the security lapse on Friday after discovering the vulnerability. The company acknowledged the data exposure days later on the following Tuesday after TechCrunch followed-up by attaching several exposed customer files to our email. Petco spokesperson Ventura Olvera told TechCrunch late on Tuesday that the company has “implemented, and will continue to implement, additional measures to further strengthen the security of our systems,” though the company did not provide evidence for the claim. Olvera would not say if the company has the technical means, such as logs, to determine if any data was extracted from the company’s systems during the course of the data spill. How TechCrunch found the data spill TechCrunch identified a vulnerability in how Vetco’s website generates copies of PDF documents for its customers. Vetco’s customer portal, located at petpass.com, allows customers to log in and obtain veterinary records and other documents relating to their pet’s care. But TechCrunch found that the PDF generating page on Vetco’s website was public, and not protected with a password. As such, it was possible for anyone on the internet to access sensitive customer files directly from Vetco’s servers by modifying the web address to input a customer’s unique identification number. Vetco customer numbers are sequential, which means one could access other customers’ data simply by changing a customer number by one or two digits. TechCrunch checked at intervals of 100,000 customers to determine how many records may have been exposed in total. The sequential customer numbers suggest that millions of Petco customers’ information could have been retrieved. The bug is classed as an insecure direct object reference (or IDOR), a common lapse in security practices that allows unfettered access to files on a server because there aren’t proper checks in place to make sure the person accessing the data is permitted to. It’s not clear how long these customer records have been left exposed, but the customer record listed on Google was dated mid-2020. Third Petco breach this year By TechCrunch’s count, this is Petco’s third data breach in 2025. Earlier this year, hackers associated with the Scattered Lapsus$ Hunters hacking collective allegedly stole reams of data from a database of customer information that Petco hosts with cloud giant Salesforce. The hackers demanded victim companies pay a ransom to not have their information leaked. In September, Petco disclosed a second data breach involving a security issue that the company said it discovered on its own. Petco blamed the data leak on “a setting within one of our software applications that inadvertently allowed certain files to be accessible online,” but did not provide specific details of the incident. That data breach included sensitive customer information, such as Social Security numbers, driver’s licenses, and financial information, including debit and credit card numbers. Olvera declined to say how many people are affected by the September incident, but California law requires companies to disclose data breaches publicly when the number of victims in the state crosses 500 people. TechCrunch believes this latest data leak involving Vetco is a separate security incident, given that Petco began notifying its customers of the previous data leak several months ago. Topics cybersecurity, data breach, data exposure, Exclusive, Petco, Security, vetco Zack Whittaker Security Editor Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security. He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com.

View Bio Dates TBD Locations TBA Plan ahead for the 2026 StrictlyVC events. Hear straight-from-the-source candid insights in on-stage fireside sessions and meet the builders and backers shaping the industry. Join the waitlist to get first access to the lowest-priced tickets and important updates.

Waitlist Now Most Popular SpaceX reportedly planning 2026 IPO with $1.5T valuation target Sean O'Kane Claude Code is coming to Slack, and that’s a bigger deal than it sounds Rebecca Bellan Creator IShowSpeed sued for allegedly punching, choking viral humanoid Rizzbot Dominic-Madori Davis Sources: AI synthetic research startup Aaru raised a Series A at a $1B ‘headline’ valuation Marina Temkin SpaceX reportedly in talks for secondary sale at $800B valuation, which would make it America’s most valuable private company Connie Loizos Meta acquires AI device startup Limitless Sarah Perez After Neuralink, Max Hodak is building something even wilder Connie Loizos