Clothing Retailer Patches Website Flaw Exposing Customer Data

Clothing Retailer Patches Website Flaw Exposing Customer Data

Clothing Retailer Patches Website Flaw Exposing Customer Data

Image: Larry Hachucka/Creative Commons

A clothing retailer patched a website flaw that exposed customer data via order links, highlighting risks associated with predictable URL structures.

Apr 17, 2026

A simple tweak to a web address was all it took to peer into someone else’s Express order.

The retailer recently patched a flaw in its website that exposed customer data through its order confirmation pages. The issue stemmed from the way Express generated sequential order IDs embedded in URLs, which allowed unauthorized access to personal details such as names, contact information, shipping addresses, and partial payment data.

The vulnerability, discovered by a security researcher, did not require advanced hacking techniques, only knowledge of how the URLs were structured.

From a fraudulent transaction investigation to uncovering a bigger problem

While many similar data exposures like this often get noticed through abnormal activity within the company’s networks, this one was spotted differently.

According to TechCrunch, the flaw was accidentally discovered by a security researcher and privacy advocate, Rey Bango. He noticed the issue while investigating a fraudulent transaction on his family member’s Express account, which was carried out using the account’s unique order number.

Bango, in his statement to TechCrunch, said:

“When I tried to look up if the order number was a legitimately formatted Express order number using Google, I saw a link to another order, and someone else’s order information came up!”

Normally, information like this is meant to be behind a properly authenticated page, locked away from even other Express users. But in this case, anyone who can tweak the web address for Express’ order confirmations can view almost everything the customer entered during checkout.

And with the right web automation tool? They can do this at scale. This is possible because Express assigns order numbers sequentially and adds them to the web address of its confirmation page. While not inherently a bug, it’s a dangerous practice.

The exposure included customer information such as:

  • Names
  • Phone numbers
  • Email addresses
  • Postal billing and delivery addresses
  • Order information: the purchased item
  • Partial card information, with its last four digits

Must-read security coverage

Retailer response

Speaking to TechCrunch, Joe Berean, head of Marketing at Express, confirmed they are aware of the incident and have patched it.

“Upon becoming aware of this issue, we investigated and continue to review the matter and have no further comment at this time,” Berean said.

In the same statement, Berean expressed the company’s stance on customer data, saying:

“We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.”

However, TechCrunch has noted that requests for comment regarding the legal disclosure of the incident have gone unanswered.

Additionally, even as the company asks users to contact it about any security concerns, it has not updated its website to make that easy. Bango was only able to report his observation through TechCrunch, highlighting the friction anyone who currently wants to report a security issue may face.

Advertisement

What happens now?

As of this reporting, the company hasn’t notified users who might have been affected, and as per TechCrunch, has answered no further questions. But it did say its investigations are ongoing, which may suggest that, once it’s done with that, affected customers can be notified, along with a notice sent to state attorneys general.

However, that depends entirely on Express and how it structures its timeline.

Since the report didn’t specify how long that flaw had been up, anyone who’s used Express before should stay vigilant against phishing attempts and monitor for identity theft.

For a related look at how hidden vulnerabilities can open the door to larger threats, check out this report on malicious WordPress plugins planting backdoors across sites.

Joseph Ofonagoro

Joseph is a technical writer with about three years of experience creating clear, practical content across consumer technology, startups, tutorials, and cybersecurity. He is also advancing a career in cyber threat intelligence, driven by a strong interest in the responsible use of technology and its role in protecting people, organizations, and digital systems. His passion for cybersecurity grew out of a broader commitment to helping others understand technology safely and effectively. As an undergraduate at the National Open University of Nigeria, he leads a community of technology enthusiasts, guiding beginners, sharing learning resources, and helping students build confidence as they explore careers in tech. Joseph’s writing combines technical curiosity with an accessible, beginner-friendly style. In addition to his editorial work, he periodically shares cybersecurity case studies and research reports on social media, covering threat trends, security lessons, and practical insights for readers interested in cyber awareness and digital safety.