Fashion retailer Express left customers’ personal data and order details exposed to the internet

April 16, 2026
aisecurityprivacybusiness

What happened

Fashion chain Express has patched a security flaw after it was discovered that order confirmation pages on its online store could be viewed by changing the web address, TechCrunch has exclusively learned. It has been reported that at least a dozen customer orders were publicly listed in web search results, and the pages revealed names, phone numbers, email addresses, postal, billing and delivery addresses, purchase details and partial payment card information (card type and last four digits). Not great — and deeply unsettling for anyone who shops online.

How the flaw worked

Security advocate Rey Bango allegedly stumbled on the issue while investigating a fraudulent purchase on a family member’s account and, finding no clear way to report it to Express, asked TechCrunch to alert the company. TechCrunch verified that tweaking the order-number in the confirmation-page URL could surface other customers’ orders; Express uses order numbers that are largely sequential, which allegedly makes it trivial to cycle through many records with automated tools.

Response from Express

After being contacted by TechCrunch, Express fixed the bug on Wednesday. The company’s head of marketing, Joe Berean, is quoted as saying, “We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.” Berean would not, however, say how customers should contact the company, whether Express has a vulnerability disclosure program, whether it can tell if anyone accessed exposed pages, or if it will notify affected customers or state attorneys general as required under U.S. data-breach laws.

Bigger picture

This isn’t an isolated embarrassment. In recent months misconfigurations and disclosure gaps have left other major retailers’ systems — Home Depot, Petco’s Vetco Clinics among them — exposed, too. Who was looking at these pages? Who saved the data? Customers will want answers, and fast. If there’s a silver lining, it’s this: these incidents underline one stubborn truth — you can’t outsource basic security hygiene. Companies that sell confidence to shoppers need to show some of it themselves.

Sources: techcrunch