Petco Vetco Data Breach: Customer Information Exposed

Petco Vetco Clinics Data Breach

Petco, a prominent pet wellness provider, has temporarily removed a section of its Vetco Clinics website following a security incident. This lapse resulted in the exposure of a significant amount of customer data to public access.

Data Exposure Details

The issue came to light after TechCrunch notified Petco of the exposed data pertaining to Vetco customers and their animal companions. The company has confirmed an investigation is underway but has refrained from providing further commentary at this time.

The security vulnerability permitted unauthorized access to customer records directly from the Vetco website, circumventing the standard login procedures. At least one customer’s record was even indexed by Google, making it discoverable through a simple search.

Types of Information Compromised

Review of the exposed files by TechCrunch revealed a comprehensive range of sensitive information. This included detailed visit summaries, complete medical histories, and records of prescriptions and vaccinations for both customers and their pets.

Specifically, the compromised data encompassed customer names, residential addresses, email addresses, and phone numbers. It also included the location of the Vetco clinic where services were received.

Further details within the files contained medical evaluations, test results, diagnoses, service costs, veterinarian names, signed consent forms, owner signatures, and dates of service rendered.

Information regarding the animals themselves was also present. This included names, species, breed, sex, age, date of birth, microchip numbers (where applicable), vital signs, and prescription details.

Timeline of Events

TechCrunch initially alerted Petco to the security flaw on Friday. The company acknowledged the data exposure several days later, on Tuesday, after TechCrunch provided supporting evidence by attaching exposed customer files to their follow-up email.

Petco spokesperson Ventura Olvera stated that the company is actively enhancing its system security. However, no concrete evidence supporting this claim was provided.

Investigation and Data Extraction

Olvera declined to confirm whether Petco possesses the necessary technical capabilities, such as system logs, to ascertain if any data was actually extracted during the period the vulnerability existed.

The incident highlights the importance of robust security measures in protecting sensitive customer information within the veterinary services sector.

Discovery of the Data Exposure by TechCrunch

A security flaw was discovered by TechCrunch concerning the method by which Vetco’s website creates PDF copies of documents for its user base.

The customer portal, accessible at petpass.com, enables users to access veterinary records and related documentation pertaining to their pets. However, TechCrunch’s investigation revealed that the page responsible for PDF generation was publicly accessible, lacking password protection.

Consequently, individuals with internet access could directly retrieve sensitive customer files from Vetco’s servers. This was achieved by manipulating the URL to include a customer’s unique identification number.

Vetco’s customer identification numbers follow a sequential pattern. This meant that data belonging to other customers could be accessed by simply altering the customer number by a small increment, such as one or two digits.

To gauge the extent of the potential exposure, TechCrunch performed checks at intervals of 100,000 customers. The sequential numbering scheme indicates that the information of potentially millions of Petco customers was retrievable.

This vulnerability has been categorized as an insecure direct object reference (IDOR). IDOR represents a frequent security oversight, granting unrestricted access to server files due to insufficient verification of access permissions.

The duration for which these customer records were exposed remains uncertain, though a Google-indexed record indicated exposure dating back to mid-2020.

Understanding the Insecure Direct Object Reference (IDOR)

An IDOR vulnerability occurs when an application provides direct access to objects based on user-supplied input. Proper authorization checks are absent, allowing attackers to manipulate these references.

In this instance, the customer ID served as the direct object. Without adequate security measures, unauthorized individuals could bypass normal access controls.

Potential Impact of the Exposure

• Sensitive Data Access: Veterinary records, potentially including personal and medical information about pets and their owners, were at risk.
• Privacy Concerns: The exposure raises significant privacy concerns for affected customers.
• Data Breach Implications: Although no evidence of malicious exploitation has been reported, the vulnerability created a pathway for a potential data breach.

Petco Experiences Third Data Breach in 2025

According to records maintained by TechCrunch, this marks the third instance of a data security incident at Petco within the current year.

Previously in 2025, a hacking group known as Scattered Lapsus$ Hunters reportedly compromised a substantial amount of customer data. This data was held within a database managed by Salesforce, a leading cloud service provider utilized by Petco.

The hackers involved issued ransom demands to affected organizations, threatening public disclosure of the stolen information if payments were not made.

Petco revealed a second breach in September, identifying it as a vulnerability discovered internally. The company attributed the leak to a misconfiguration within a software application, resulting in unauthorized online access to certain files.

However, specific details regarding this September incident were not fully disclosed by Petco.

The compromised data from the September breach encompassed highly sensitive customer details, including Social Security numbers, driver’s license information, and financial records like debit and credit card numbers.

While Olvera did not specify the number of individuals impacted by the September event, California state law mandates public disclosure of breaches affecting over 500 residents.

TechCrunch assesses that this most recent data leak, concerning Vetco, represents a distinct and separate security event. This determination is based on the fact that Petco had already begun informing customers about the prior breach several months prior to this latest incident.