90Trust
Verified
🔍 Web Verified🏛 Established Source (T2)
TechCrunchonX / Twitter22h ago
Fashion retailer Express left customers’ personal data and order details exposed to the internet techcrunch.com/2026/04/16/fas…
Trust Metrics
92
95
88
80
Claim Accuracy92%
Source Quality95%
Framing & Tone88%
Context80%
Analysis Summary
Express exposed customers' names, addresses, phone numbers, emails, and partial payment card details through a web vulnerability that allowed anyone to view other people's order confirmation pages by tweaking the URL — at least a dozen orders were indexed in Google search results. TechCrunch discovered the flaw through a security researcher and alerted the company, which patched it Wednesday but refused to say whether it would notify affected customers or file required breach disclosures with state authorities. This joins a pattern of major retailers leaving sensitive data exposed in recent months including Home Depot and Petco, suggesting companies are either slow to discover these vulnerabilities or reluctant to implement standard security practices like vulnerability disclosure programs.
Claims Analysis (5)
“Fashion retailer Express left customers' personal data and order details exposed to the internet”
TechCrunch exclusively confirmed security flaw exposing order confirmation pages with customer names, addresses, phone numbers, emails, and partial card data.
“At least a dozen of Express' customer orders had been publicly listed in web search engine results”
Article states 'At least a dozen of Express' customer orders had been publicly listed in web search engine results' — confirmed by TechCrunch verification.
“Express uses order numbers that are largely sequential, which makes it easy to potentially cycle through thousands of orders”
TechCrunch verified this technical detail after testing the vulnerability — sequential order numbers enabled automated access to other customers' data.
“Express patched the website to fix the security flaw after TechCrunch contacted the company on Wednesday”
Article explicitly states 'After we contacted Express, the apparel giant fixed the flaw on Wednesday.'
“Express would not say if it plans to notify customers of the security lapse”
Article directly quotes company response and notes 'would not say if it plans to notify customers' and that company 'did not respond to follow-up questions, including if Express planned to disclose the incident to state attorneys general.'
Was this analysis helpful?
Try ClearFeed free →