Pet wellness brand Petco has temporarily taken parts of its Vetco Clinics website offline after a security failure left large amounts of customer information publicly accessible.

TechCrunch notified the company about the exposed Vetco customer and pet data, after which Petco acknowledged the issue in a statement, saying it is investigating the incident at its veterinary services arm. The company declined to share further details.

The lapse meant that anyone online could directly download customer files from the Vetco site without needing an account or login credentials. At least one customer file was publicly visible and had even been indexed by Google, making it searchable.

According to data reviewed by TechCrunch, the exposed records included visit notes, medical histories, prescriptions, vaccination details, and other documents linked to Vetco customers and their pets.

These files contained personal information such as customer names, home addresses, phone numbers and email addresses, along with clinic locations, medical evaluations, diagnoses, test results, treatment details, itemized costs, veterinarian names, signed consent forms, and service dates.

Pet details were also disclosed, including pet names, species, breed, sex, age, date of birth, microchip numbers, medical vitals, and prescription histories.

TechCrunch reported the flaw to Petco on Friday. The company acknowledged the exposure on Tuesday after receiving follow-up communication that included examples of the leaked files.

Petco spokesperson Ventura Olvera told TechCrunch that the company has “implemented, and will continue to implement, additional measures to further strengthen the security of our systems,” though Petco did not provide proof of these measures. Olvera also declined to clarify whether the company has logging tools capable of determining whether the data was accessed or extracted during the exposure.

The vulnerability stems from how Vetco’s website generates downloadable PDFs for customers. Vetco’s portal, petpass.com, gives customers access to their vet records. However, TechCrunch discovered that the PDF-generation page was left publicly accessible without any password protection.

This allowed anyone to retrieve sensitive documents simply by altering the URL to include a customer’s unique identification number. Because Vetco’s customer IDs are sequential, adjusting the number by small increments exposed other customers’ records as well.

By checking ID numbers in increments of 100,000, TechCrunch estimated that the flaw could have exposed information belonging to millions of Petco customers.

The issue is identified as an insecure direct object reference (IDOR), a common security oversight where servers fail to verify whether the requester is authorized to access specific files.

It remains unknown how long the data was publicly exposed, but the record visible on Google dated back to mid-2020.

This marks the third data incident involving Petco in 2025, according to TechCrunch’s reporting.

Earlier in the year, hackers linked to the Scattered Lapsus$ Hunters group reportedly stole a large trove of customer data from a Salesforce-hosted Petco database and sought ransom payments to avoid leaking the data.

In September, Petco disclosed another breach involving a misconfigured software setting that mistakenly made certain files available online. That incident exposed highly sensitive data—including Social Security numbers, driver’s license details, and payment information like credit and debit card numbers.

Olvera did not confirm how many customers were affected by the September breach. Under California law, organizations must publicly report breaches affecting more than 500 state residents.

TechCrunch believes the newly discovered Vetco data exposure is a separate event because Petco had already begun notifying customers about the earlier breach months prior.