**PETCO TAKES DOWN VETCO WEBSITE AFTER EXPOSING CUSTOMERS' PERSONAL INFORMATION**

In a shocking revelation, pet wellness company Petco has taken down a portion of its Vetco Clinics website after a security lapse exposed sensitive customer information to the open web. The incident was brought to light by TechCrunch, which alerted Petco to the exposed data relating to Vetco customers and their pets.

According to TechCrunch, the security lapse allowed anyone on the internet to download customer records from Vetco's website without needing a user's login information. This included reams of sensitive information such as visit summaries, medical histories, prescription and vaccination records, and more.

The exposed customer records, which date back to mid-2020, contained personal details including names, home addresses, email addresses, phone numbers, and dates of service. The files also revealed animal-related information such as breed, sex, age, and microchip number (if registered), as well as prescription records and medical vitals.

TechCrunch discovered the vulnerability after finding that the PDF-generating page on Vetco's website was public and not protected with a password. By modifying the web address to input a customer's unique identification number, anyone could access sensitive customer files directly from Vetco's servers. The sequential nature of these numbers suggests that millions of Petco customers' information could have been retrieved.

The bug is classified as an insecure direct object reference (or IDOR), a common lapse in security practices that allows unfettered access to files on a server because there aren't proper checks in place to ensure the person accessing the data is permitted to do so.

Petco spokesperson Ventura Olvera confirmed the data exposure and stated that the company has "implemented, and will continue to implement, additional measures to further strengthen the security of our systems." However, he refused to provide evidence for this claim or reveal whether the company has the technical means to determine if any data was extracted from its systems during the course of the data spill.

This incident is not an isolated one. TechCrunch reports that Petco experienced two previous data breaches in 2025, including one earlier this year where hackers associated with the Scattered Lapsus$ Hunters hacking collective allegedly stole reams of data from a database of customer information hosted by cloud giant Salesforce.

Olvera declined to say how many people are affected by these incidents or provide specific details about the previous breaches. California law requires companies to disclose data breaches publicly when the number of victims in the state crosses 500 people.

This latest security lapse raises concerns about Petco's handling of sensitive customer information and highlights the need for robust cybersecurity measures to protect against such vulnerabilities. As TechCrunch's Zack Whittaker notes, "This is not a trivial issue – it's a serious breach that has put millions of customers' personal data at risk."