Fashion Retailer Express Patches Website Flaw Exposing Customer Data A security vulnerability at fashion retailer Express briefly exposed sensitive customer information online, allowing unauthorized access to order details and personal data through simple web searches. The flaw, which was publicly disclosed in April 2026, has since been remediated after being reported by a security advocate. How the Flaw Was Discovered Rey Bango, a security and privacy advocate, inadvertently discovered the vulnerability even as investigating a suspicious transaction on a family member’s account. When attempting to verify the legitimacy of an Express order number using Google, Bango found that altering the order number in the web address allowed access to other customers’ order confirmation pages. “I saw a link to another order and someone else’s order information came up!” Bango told TechCrunch. He noted that Express uses largely sequential order numbers, making it easy for automated tools to cycle through thousands of records by modifying the URL. What Information Was Exposed The exposed data included customer names, phone numbers, email addresses, postal and billing addresses, delivery addresses, order details such as purchased items, and partial payment card information—specifically the card type and last four digits. At least a dozen customer orders were found to be publicly listed in search engine results before the issue was resolved. Express’s Response After being contacted by TechCrunch, Express patched the flaw on Wednesday, April 15, 2026. The company confirmed that the affected pages were secured but did not disclose whether it plans to notify impacted customers. In a statement, Express marketing executive Joe Berean said: “We grab the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.” Broader Implications The incident highlights ongoing risks associated with predictable URL structures in web applications. Security experts warn that sequential identifiers in web addresses can enable unauthorized data access if proper access controls are not implemented. Similar vulnerabilities have affected other retailers and online services in recent years. As e-commerce continues to grow, retailers face increasing pressure to safeguard customer data against both sophisticated cyberattacks and avoidable configuration flaws. Regular security audits, penetration testing, and responsible disclosure programs are considered essential practices for maintaining consumer trust in digital retail platforms.
56
next post