Staples had two endpoints that allowed customers to track their purchases using the order number and the postal code (ZIP) and one of them could reveal info on someone else s order. The same endpoint provided details about current orders, too, which means that someone could cause some trouble by canceling them or initiating a return. With the destination address exposed, the risk of stealing the goods upon delivery also existed. Not all customers that ordered from Staples recently received the email about their info being exposed.
Source: https://www.bleepingcomputer.com/news/security/staples-data-breach-caused-by-bug-in-order-tracking-system/