Your pet’s medical records shouldn’t be easier to find than your local coffee shop’s Wi-Fi password. Yet Petco managed to make millions of Vetco veterinary files as accessible as a TikTok dance tutorial—no login required.
The pet retailer pulled part of its Vetco Clinics website offline after TechCrunch discovered that customer records were sitting in the digital equivalent of an unlocked filing cabinet on a busy street corner. This marks Petco’s third major security failure in 2025, turning what should be isolated incidents into a disturbing pattern that raises serious questions about the company’s commitment to protecting sensitive customer data.
When Sequential Numbers Become Security Nightmares
A textbook web vulnerability exposed veterinary records through easily guessable URLs.
The Vetco portal at petpass.com generated PDF copies of vet records through what security experts call an IDOR vulnerability—insecure direct object reference. Think of it like hotel room keycards that open any door if you just change the room number.
Vetco used sequential customer IDs in their URLs, meaning anyone could access other customers’ files by simply adding or subtracting numbers from the web address. TechCrunch’s spot-checks suggested millions of records were potentially accessible through this elementary security failure that should have been caught in basic security testing.
Your Pet’s Digital Paper Trail Goes Public
Google indexed at least one customer record, proving these documents were openly searchable online.
The exposed data reads like a privacy nightmare checklist:
- Names, addresses, phone numbers, email addresses
- Pet medical histories, vaccination records, prescription details
- Veterinarians’ names, clinic locations
- Consent forms with signatures
- Pet microchip numbers
One record dating back to mid-2020 appeared in Google search results, suggesting this vulnerability may have persisted for years before discovery. The fact that Google’s crawlers found and indexed these files demonstrates just how publicly accessible this sensitive information had become.
Third Strike in Twelve Months
Earlier 2025 breaches exposed Social Security numbers and financial data through similar configuration failures.
September’s breach involved a “misconfigured software application” that exposed customers’ Social Security numbers, driver’s license numbers, bank account details, and credit card information across multiple states. Earlier still, the Scattered Lapsus$ Hunters hacking group allegedly stole data from Petco’s Salesforce-hosted database.
Each incident follows the same script: configuration errors, delayed detection, and corporate responses heavy on additional security measures but light on specifics. The pattern suggests systemic problems with Petco’s security culture rather than isolated technical hiccups.
For consumers increasingly treating pet care like human healthcare, these repeated failures erode trust in an industry racing to digitize everything from vaccination records to prescription management. Your dog’s privacy apparently deserves better protection than Petco’s currently providing.
