Express fixes website flaw that exposed customer data to open internet

Fashion retailer Express has fixed a security flaw on its website that exposed customer order details and personal information to the open internet, according to a TechCrunch investigation. The vulnerability allowed anyone to view order confirmation pages containing customer names, phone numbers, email addresses, postal and billing addresses, purchase details, and partial payment card information including card type and last four digits. At least a dozen customer orders had already appeared in web search results before the flaw was patched. Security researcher Rey Bango discovered the issue while investigating a fraudulent purchase on a family member's account. He found Express used sequential order numbers, making it possible to cycle through potentially thousands of orders "When I tried to look up if the order number was a legitimately formatted Express order number using Google, I saw a link to another order and someone else's order information came up," Bango told TechCrunch. After being contacted Express head of marketing Joe Berean said the company takes security and privacy seriously and encourages reporting of potential concerns, but would not provide details on how customers should contact the company or whether Express maintains logs to determine if un The incident follows similar security lapses at other retailers in recent months, including Home Depot and Petco's Vetco Clinics, where customer data was left exposed due to website misconfigurations.