A direct object reference vulnerability in the Express retail website allowed unauthorized access to customer order confirmation pages by sequentially manipulating order numbers in the URL, exposing PII and partial payment details. The flaw was publicly disclosed after being discovered by a security researcher, with at least a dozen orders indexed by search engines. Express has since patched the vulnerability on its website.
Security Operations , Data Security , Vulnerability Management Express website vulnerability exposed customer order details April 20, 2026 Share By SC Staff (Adobe Stock) As reported by TechCrunch, fashion retailer Express has addressed a significant security flaw on its website that inadvertently exposed customer order details and personal information to the public. The vulnerability allowed unauthorized access to order confirmation pages, revealing customer names, phone numbers, email addresses, postal and billing addresses, and details of purchased items. Partial payment card information, including card type and the last four digits, was also exposed. The flaw was discovered by security advocate Rey Bango, who found that by manipulating sequential order numbers in the web address, one could view other customers' order information. At least a dozen customer orders were found listed in search engine results. Express, now owned by WHP Global, patched the website on Wednesday after being contacted by TechCrunch. Source: TechCrunch SC Staff Related SOC Your SOC, not the vendor’s: Why the AI SOC has to be customizable, not a black box Paul Wagenseil April 20, 2026 Only organizations that invest in customizable, agentic AI SOCs will turn AI into a strategic advantage. Security Operations Fiverr faces scrutiny over exposed user files SC Staff April 20, 2026 The data exposure occurred because Fiverr utilized Cloudinary for image and PDF storage, employing public URLs instead of secure, expiring links. Security Operations Man sentenced for hacking U.S. Supreme Court and government systems SC Staff April 20, 2026 Nicholas Moore has been sentenced to one year of probation for hacking into the U.S. Supreme Court’s electronic document filing system multiple times over several months. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bit Buffer Overflow Bug Cron Cryptographic Hash Functions Daemon Data Encryption Standard (DES) Digital Signature Algorithm (DSA) Disassembly Disaster Recovery Plan (DRP) You can skip this ad in 5 seconds