Key Takeaways
- Express’s order‑confirmation pages were publicly accessible by simply altering the sequential order number in the URL, exposing personal and payment details.
- The leaked data included names, phone numbers, email addresses, full mailing and billing addresses, itemized purchase lists, card type, and the last four digits of payment cards.
- Security researcher Rey Bango discovered the flaw while checking a fraudulent purchase on a family member’s account and had no direct channel to report it to Express.
- After being alerted by TechCrunch, Express patched the vulnerability on Wednesday but declined to say whether it will notify affected customers, disclose the incident to regulators, or implement a formal vulnerability‑disclosure program.
- The incident adds to a growing list of retailers—such as Home Depot and Petco—whose misconfigurations have unintentionally leaked customer data to the internet.
Overview of the Security Flaw
Express, a major U.S.‑based clothing retailer with locations across the United States, Mexico, and Latin America, inadvertently left its order‑confirmation web pages open to anyone who knew—or could guess—a valid order number. The flaw resided in the way the retailer generated and served these pages: each confirmation URL contained a numeric order identifier that was largely sequential, allowing an attacker to increment or decrement the number and retrieve another customer’s confirmation page without authentication.
How the Flaw Was Discovered
Rey Bango, a security and privacy advocate, stumbled upon the issue while investigating a suspicious charge on a relative’s Express account. After searching Google for the order number to confirm its legitimacy, he saw a link to a different order and, upon clicking, viewed another shopper’s personal information. Recognizing the seriousness of the exposure, Bango attempted to contact Express directly but found no published security‑reporting channel, prompting him to ask TechCrunch to intervene.
Technical Details of the Exposure
The exposed pages displayed a wealth of personally identifiable information (PII). Specifically, they revealed the customer’s full name, telephone number, email address, mailing address, billing address, and delivery address. Order specifics—such as the items purchased, quantities, and prices—were also visible. Payment‑card data was partially exposed, showing the card type (Visa, MasterCard, American Express, etc.) and the last four digits of the card number, though the full card number and CVV were not displayed.
Scale of the Leak
Because Express uses largely sequential order numbers, an automated script could cycle through thousands of confirmation pages in a short period. TechCrunch verified that by simply modifying the numeric portion of the URL, one could retrieve the order details of unrelated customers. Although the retailer did not disclose the exact number of records accessible, at least a dozen orders appeared in public search‑engine results, indicating that the leak was sufficient to be indexed by Google and other crawlers.
Impact on Customers
The compromised information could be used for a variety of malicious activities, including identity theft, phishing campaigns, and social‑engineering attacks. Knowing a customer’s mailing address and purchase history enables attackers to craft convincing fake invoices or delivery notifications. Exposure of the last four digits of a payment card, while not sufficient for direct fraud, can aid in guessing the full number when combined with other data harvested from breaches or purchased on the dark web.
Express’s Response
After being contacted by TechCrunch, Express acknowledged the issue and stated that it had patched the flaw on the following Wednesday. The company’s head of marketing, Joe Berean, said in a brief statement: “We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.” He added that Express had investigated the matter and would continue to review it, offering no further comment at that time.
Lack of Transparency and Follow‑Up
Berean declined to provide specifics on how customers could report security issues, whether Express intended to create a vulnerability‑disclosure program, or if the company possessed logs to determine whether any unauthorized parties had accessed the exposed data. He also did not answer whether Express would notify state attorneys general, as required by U.S. data‑breach notification statutes, leaving regulators and affected consumers in the dark about potential legal obligations.
Context Within Recent Retail Security Incidents
Express’s lapse fits a pattern of similar oversights at other large retailers. In December 2023, a security researcher found that Home Depot had left internal systems exposed for a year, struggling to alert the company. The same month, Petco took down its Vetco Clinics website after TechCrunch discovered that the site was leaking customers’ personal information and their pets’ medical records. These incidents underscore a recurring challenge: as firms expand their digital footprints, misconfigurations in web applications can unintentionally turn private data into public fodder.
Implications for Consumer Trust and Regulatory Scrutiny
When retailers fail to safeguard order‑confirmation pages, they erode consumer confidence, particularly among shoppers who rely on online channels for convenience. The exposure of even partial payment‑card data can trigger scrutiny from payment‑card industry compliance bodies (PCI‑DSS) and may result in fines if the breach is deemed to have resulted from inadequate security controls. Moreover, state attorneys general may investigate whether Express violated breach‑notification laws, potentially leading to penalties and mandated remediation efforts.
Recommendations for Express and Similar Retailers
To prevent future occurrences, Express should implement robust access controls on order‑confirmation endpoints, ensuring that each request is authenticated and authorized to the specific user. Employing non‑sequential, unpredictable order identifiers (such as UUIDs) would mitigate the risk of simple enumeration attacks. Additionally, establishing a clear, publicly available vulnerability‑disclosure program—and training staff to respond promptly to external reports—would improve the company’s security posture. Regular penetration testing and automated scanning for information‑leak vulnerabilities should become standard practice.
Conclusion
The Express security flaw highlights how a seemingly minor oversight—exposing order numbers in a URL—can lead to the widespread exposure of sensitive customer data. While the company has patched the vulnerability, its reticence about customer notification, regulatory disclosure, and improved reporting mechanisms leaves many questions unanswered. As online shopping continues to grow, retailers must prioritize secure design, transparent communication, and proactive security programs to protect both their customers and their reputations.