The first StrictlyVC of 2026 hits San Francisco. Tickets are going fast. Register now.
Save up to $680 on your Disrupt 2026 pass. Ends 11:59 p.m. PT tonight. REGISTER NOW .
TechCrunch Desktop Logo TechCrunch Mobile Logo Latest Startups Venture Apple Security AI Apps Events Podcasts Newsletters Search Submit Site Search Toggle Mega Menu Toggle Topics Latest
Fashion retailer Express left customers’ personal data and order details exposed to the internet Zack Whittaker 5:39 AM PDT · April 16, 2026 Fashion giant Express has patched its website to fix a security flaw that allowed anyone to view other people’s order details and personal information, TechCrunch has exclusively learned. At least a dozen of Express’ customer orders had been publicly listed in web search engine results.
The security flaw exposed order confirmation pages on Express’ online store, revealing details of purchases and who made them.
The exposed information contained customer names, phone numbers and email addresses; postal, billing, and delivery addresses; order details, including the items that a customer purchased; and partial payment card information, including the card type and the last four-digits.
Express is a large clothing retailer with hundreds of stores across the United States, Mexico and Latin America. The once-publicly listed company is now run by WHP Global, which also owns several fashion and retail giants.
Rey Bango, a security and privacy advocate, accidentally discovered the flaw after investigating a fraudulent purchase on a family member’s account, but found no way to report the flaw to Express. Bango asked TechCrunch to alert the company in an effort to get the bug fixed.
“When I tried to look up if the order number was a legitimately formatted Express order number using Google, I saw a link to another order and someone else’s order information came up!” Bango told TechCrunch.
TechCrunch verified that one could tweak the order confirmation webpage address to view the order and personal information of other customers. Express uses order numbers that are largely sequential, which makes it easy to potentially cycle through thousands of orders by changing the order number in the web address using automated web tools.
After we contacted Express, the apparel giant fixed the flaw on Wednesday, but would not say if it plans to notify customers of the security lapse.
When reached for comment, Express’ head of marketing Joe Berean told TechCrunch: “We take the security and privacy of customer information seriously and encourage anyone who identifies a potential security concern to contact us directly.”
“Upon becoming aware of this issue, we investigated and continue to review the matter and have no further comment at this time,” said Berean.
Berean would not say how customers could contact the company, nor detail if the company has plans to update its website to receive reports of security flaws, such as a vulnerability disclosure program. He did not say if the company had the technical means, such as logs, to check if anyone had accessed the personal information of other customers.
The executive did not respond to follow-up questions, including if Express planned to disclose the incident to state attorneys general as required by U.S. data breach notification laws.
___________________________________________________________________________________________________________
-- --
PLEASE LIKE IF YOU FOUND THIS HELPFUL TO SUPPORT OUR FORUM.
