Petco takes down Vetco website after exposing customers’ personal information

Petco, the pet wellness company, has temporarily taken down part of its Vetco Clinics website following a serious security breach that left sensitive customer information publicly accessible on the internet. The issue came to light after TechCrunch informed Petco about the exposed data concerning Vetco clients and their pets. In a statement, Petco acknowledged the data leak and confirmed that it is actively investigating the incident. The security flaw allowed users to download customer records without requiring any login credentials. Notably, at least one exposed record was indexed by Google, making it searchable online. The leaked customer files, which TechCrunch reviewed, included comprehensive details such as visit summaries, medical histories, vaccination records, and prescriptions. Personal information was also compromised, including names, home addresses, email addresses, and phone numbers. Furthermore, the data detailed the specific Vetco clinic locations, medical assessments, tests, diagnoses, and costs associated with services rendered. The exposed files also contained animal-specific information like names, species, breeds, ages, and microchip numbers. TechCrunch first alerted Petco to the security issue on Friday, and the company publicly acknowledged the breach the following Tuesday, after further follow-up. Petco spokesperson Ventura Olvera stated that the company is implementing additional security measures to protect its systems, although they did not provide specific evidence to support these claims. When asked whether they could determine if any data was extracted during the breach, Olvera did not provide a clear answer. The vulnerability was traced back to how Vetco’s website generates PDF documents for customers. The customer portal is normally password-protected, but TechCrunch discovered that the PDF generation page was publicly accessible. By altering the web address to include different customer identification numbers, anyone could potentially access sensitive information from Vetco's servers. TechCrunch's investigation revealed that the sequential nature of customer numbers could allow for the retrieval of data from millions of Petco customers. This security flaw is categorized as an insecure direct object reference (IDOR), a common vulnerability that permits unauthorized access to files on a server. The length of time the records were exposed remains unknown, but the data indexed by Google dates back to mid-2020. This incident marks Petco’s third data breach in 2025. Earlier this year, the company suffered a breach involving hackers from the Scattered Lapsus$ Hunters collective, who stole extensive customer data from Petco's database hosted by Salesforce. In September, Petco disclosed another breach that stemmed from a security issue within its software application. As mandated by California law, companies must publicly disclose data breaches affecting 500 or more residents. While the exact number of individuals impacted by the September breach remains undisclosed, it raises concerns about the safety of customer data at Petco and its various services.