Privacy Breach on the Petfinder website

Update 11/11/2013 1:20 PM Eastern: We have heard from some users that the Petfinder API has been updated to not include at least some of the private information that was previously accessible.  We have not been able to independently verify this, but it does seem that Petfinder may have closed some or all of the privacy issues.

Over the past 24 hours we have contacted Nestle, Purina, and Petfinder concerning a Privacy Breach on the website. So far, we have not seen any kind of response from them.

Below is the email we sent them:

The purpose of this email is to inform you of a breach of privacy on the Petfinder website.

The Petfinder website is currently exposing private organization and animal information to the public via the “<<redacted>>” URL, which appears to act as a publicly accessible API server without authentication or security whatsoever.

The exposed information includes organization private information such as home addresses, email addresses, account settings, account status and object metadata, and animal private animal fields and metadata. This includes animals with a private status (including “Not Available”) as well as organizations that no longer have active accounts with the Petfinder service.

What information is Petfinder exposing?

As mentioned in the email to Petfinder and Nestle Purina, the breach is allowing public access your personal, private, and sensitive contact and animal information.

The amount of private information that is accessible is staggering. It literally includes all organization information and settings, and all pets and pet information, including:

  1. Full organization “physical mailing” address (Petfinder says, “NOT accessible to the public”)
  2. Full street address for the organization (despite “keep street address private” selection)
  3. Full street address and email address for the primary contact
  4. Full contact names for your organization, including Director's name
  5. Your organization’s exports/API settings
  6. Your organization’s “sponsor this pet” settings
  7. Private and sensitive organization and animal information, including:
  • When your account was created
  • When you logged in last
  • If your account is active or suspended
  • Arrival date
  • When you created last updated each pet
  • Internal ID (Petfinder says, "Internal ID will not" be visible by the public)
  • Foster's email address

This includes all pets in the Petfinder database, regardless of status. This means that even the "private" statuses like Not Available, Hold, and Return Pending are not protected. This means that any pet that has been seized or reclaimed and added as Not Available is actually easily available to the public.

We have found that over 23,900 organizations are exposed, including thousands of closed accounts since 1999.

We do not believe, however, that your Petfinder account password is vulnerable.

It’s easy to see what information of yours is available publicly. Simply make a request directly to the Petfinder API to see the raw data.  For more information, please contact support.

Post Edited: To further protect your privacy, we have removed the URLs that you can use to see what information is exposed.  If you'd like to see the information for yourself, please contact us.

When will the vulnerability be resolved?

We do not know when this issue will be resolved.  Also, is not in a position to effectively convince Petfinder to resolve this issue in a timely manner.  That's why we feel its important that you (the rescues and shelters affected) are aware of your exposure.

Therefore, that responsibility falls on the organizations and individuals who are risking animal drop-offs in the middle of the night, spam email, and liability issues due to current and previous owners’ access to your sensitive information.

What should you do?

We encourage you to do whatever is best for your organization. Here are some thoughts and suggestions:

Remove any sensitive information from your Petfinder account

  1. Closing your account will not protect your private information because every organization that has ever had a Petfinder account is exposed.
  2. Changing your sensitive information to "fake" or public information may mitigate some risk
  3. Removing any private information from the animal Internal ID field may avoid some legal issues

Let any coworkers and other rescues and shelters know about the privacy breach

If you have any contacts in the rescue and shelter world, please pass this information on to them.

Contact Petfinder and demand that this privacy issue be resolved immediately

If you know of any ways to contact Petfinder (email addresses, phone numbers, Facebook pages, etc.) please share them in the comments of this blog post.

Please let us know if you have any questions, or if we can help you in any way.

Please share your experiences in the comments below.

Posted in Uncategorized  |  42 Comments

42 Responses to "Privacy Breach on the Petfinder website"

Leave a reply