Petco takes down Vetco website after exposing customers’ personal information

Pet wellness institution Petco has taken a information of its Vetco Clinics website offline aft a information lapse exposed reams of customers’ idiosyncratic accusation to the unfastened web. 

After TechCrunch alerted the institution to the exposed information relating to Vetco customers and their pets, Petco confirmed successful a connection that it was investigating the information leak astatine its veterinary services company, and declined to remark further. 

The information lapse allowed anyone connected the net to download lawsuit records from Vetco’s website without needing a user’s login information. At slightest 1 lawsuit grounds was exposed and indexed by Google, allowing anyone to find the information by searching for it.

The lawsuit records, seen by TechCrunch, included sojourn summaries, aesculapian histories, and medicine and vaccination records, among different files relating to Vetco customers and their pets. 

The files besides contained lawsuit names; their location address, email address, and telephone number; the determination of the Vetco session wherever the services were performed; aesculapian assessments, tests and diagnoses; and the costs of goods, names of veterinarians, consent forms, proprietor signatures, and dates of service.

We besides recovered carnal names, taxon and breed, their sex, property and day of birth, their microchip fig (if registered), their aesculapian vitals, and medicine records successful the files.

TechCrunch alerted Petco to the information lapse connected Friday aft discovering the vulnerability. The institution acknowledged the information vulnerability days aboriginal connected the pursuing Tuesday aft TechCrunch followed-up by attaching respective exposed lawsuit files to our email.

Petco spokesperson Ventura Olvera told TechCrunch precocious connected Tuesday that the institution has “implemented, and volition proceed to implement, further measures to further fortify the information of our systems,” though the institution did not supply grounds for the claim.

Olvera would not accidental if the institution has the method means, specified arsenic logs, to find if immoderate information was extracted from the company’s systems during the people of the information spill.

How TechCrunch recovered the information spill

TechCrunch identified a vulnerability successful however Vetco’s website generates copies of PDF documents for its customers.

Vetco’s lawsuit portal, located astatine petpass.com, allows customers to log successful and get veterinary records and different documents relating to their pet’s care. But TechCrunch recovered that the PDF generating leafage connected Vetco’s website was public, and not protected with a password.

As such, it was imaginable for anyone connected the net to entree delicate lawsuit files straight from Vetco’s servers by modifying the web code to input a customer’s unsocial recognition number. Vetco lawsuit numbers are sequential, which means 1 could entree different customers’ information simply by changing a lawsuit fig by 1 oregon 2 digits. 

TechCrunch checked astatine intervals of 100,000 customers to find however galore records whitethorn person been exposed successful total. The sequential lawsuit numbers suggest that millions of Petco customers’ accusation could person been retrieved.

The bug is classed arsenic an insecure nonstop entity reference (or IDOR), a communal lapse successful information practices  that allows unfettered entree to files connected a server due to the fact that determination aren’t due checks successful spot to marque definite the idiosyncratic accessing the information is permitted to.

It’s not wide however agelong these lawsuit records person been near exposed, but the lawsuit grounds listed connected Google was dated mid-2020.

Third Petco breach this year

By TechCrunch’s count, this is Petco’s 3rd information breach successful 2025.

Earlier this year, hackers associated with the Scattered Lapsus$ Hunters hacking corporate allegedly stole reams of data from a database of lawsuit accusation that Petco hosts with unreality elephantine Salesforce. The hackers demanded unfortunate companies wage a ransom to not person their accusation leaked.

In September, Petco disclosed a 2nd information breach involving a information contented that the institution said it discovered connected its own. Petco blamed the information leak connected “a mounting wrong 1 of our bundle applications that inadvertently allowed definite files to beryllium accessible online,” but did not supply circumstantial details of the incident. 

That data breach included delicate lawsuit information, specified arsenic Social Security numbers, driver’s licenses, and fiscal information, including debit and recognition paper numbers.

Olvera declined to accidental however galore radical are affected by the September incident, but California instrumentality requires companies to disclose information breaches publically erstwhile the fig of victims successful the authorities crosses 500 people.

TechCrunch believes this latest information leak involving Vetco is simply a abstracted information incident, fixed that Petco began notifying its customers of the erstwhile information leak respective months ago.