The pet welfare company has taken down part of its Vetco Clinsial website—after a security change revealed customers’ personal information on the open web.
After TechCrunch alerted the company to data related to Vetco customers and pets, petco confirmed in a statement that it is reviewing the data of veterinary services, and declined to comment.
The security breach allowed anyone on the Internet to download customer records from Vetco’s website without requiring the user’s login information. At least one customer record is exposed and indexed by Google, allowing anyone to find the data by searching.
Customer records, seen by TechCrunch, include summaries, medical histories, and prescriptions and prescriptions, among other files related to Vetco customers, and their pets.
The file also contains customer names; Home address, email address, and phone number; The location of the Vetco clinic where the service is performed; Medical assessments, tests and diagnoses; And item cost, vet’s name, consent form, owner’s signature, and date of service.
We also find the animal’s name, species and breed, sex, age and date of birth, microchip number (if registered), medical vitals, and prescription notes in the file.
TechCrunch alerted petco to the security lapse on Friday after discovering the vulnerability. The company admitted the data later on Tuesday to TechCrunch after techCrunch followed up by attaching several exposed customer files to our email.
A spokesperson for Petco told Techcrunch on Tuesday that the company has “implemented, and will continue to enforce, the security of our systems,” although the company did not provide evidence for the claim.
Olvera would not say whether the company has any technical means, such as logs, to determine whether the data was taken from the company’s system during the data spill.
How Techcrunch Discovered Data Specially
TechCrunch discovered a vulnerability in Vetco’s website generating copies of PDF documents for customers.
Vetco Customer Portal, located at petpass.comallows customers to log in and obtain veterinary records and other documents related to pet care. But TechCrunch discovered that the PDF generation page on Vetco’s website was public, and not password-protected.
As such, it is possible for others on the Internet to access sensitive customer files directly from Vetco’s servers by modifying the web address to resolve the unique identification number for the unique identification number input. Vetco Customer Number, which means you can access other customer data by changing the customer number by one or two digits.
TechCrunch checked with an interval of 100,000 subscribers to determine how the record can be detected in total. Sequential Customer Numbers indicate that millions of petco customer information can be retrieved.
The bug is classified as An unsafe direct object reference (or iSor), a common lapse in security practices that allows unauthorized access to files on the server because there are no proper checks to ensure that the person is authorized.
It is not clear how long the customer records have been left, but the customer records listed on Google date back to the mid-2020s.
Petco is the third petco of the year
By TechCrunch’s calculations, this is Petco’s third data breach in 2025.
Earlier this year, hackers associated with hacking hunters scattered in the collective Damuka for stolen data From the customer information database that petco hosts with cloud giant Salesforce. Hackers demand that the victim’s company pay a ransom in order not to have the information leaked.
In September, Petco disclosed the second data breach involving security issues that the company says it discovered on its own. Petco blamed the data leak on “a setting in one of its software applications that inadvertently allowed certain files to be accessed online,” but did not provide specific details about the incident.
That’s it Data breaches include sensitive customer informationsuch as social security numbers, driver’s licenses, and financial information, including debit and credit card numbers.
Olfera declined to say how many people were affected by the September incident, but California law requires companies to disclose data on violations in the state when they exceed 500 people.
TechCrunch believes that this latest data involving Vetco is a separate security incident, as petco began notifying customers before past customers.