Panera Bread Breach Exposes 5.1M Customers
What happened
Panera Bread has reported a data breach affecting 5.1 million of its customers. The extortion group ShinyHunters has claimed responsibility for the attack. Exposed data primarily includes customer contact information, highlighting ongoing risks for retail and supply chain organizations.
Why it matters
- The attack vector was reportedly a social engineering incident involving a compromised Microsoft Entra single sign-on (SSO) code. This aligns with a broader campaign by threat actors using voice-phishing ("vishing") to trick employees into giving up their credentials and multi-factor authentication codes in real-time. - Although initial claims by ShinyHunters cited 14 million records, the breach is now understood to have exposed the data of approximately 5.1 million unique customers. The data was released publicly on the dark web after Panera Bread allegedly refused the hackers' ransom demand. - This is the third significant security incident for Panera in recent years, following a 2018 breach where customer data was left exposed in plain text and a March 2024 ransomware attack that compromised employee data, leading to a $2.5 million settlement. - In addition to contact information like names, phone numbers, and physical addresses, lawsuits filed against the company claim the exposed data also includes customer birthdates and purchase histories. - ShinyHunters, the group responsible, has been active since at least 2020 and is known for large-scale data theft and extortion campaigns against major companies, including AT&T, Microsoft, and SoundCloud. - Panera is now facing at least seven lawsuits from customers who allege the company failed to implement basic security procedures to protect their data.
Key numbers
- Panera Bread has reported a data breach affecting 5.1 million of its customers.
- Although initial claims by ShinyHunters cited 14 million records, the breach is now understood to have exposed the data of approximately 5.1 million unique customers.
- This is the third significant security incident for Panera in recent years, following a 2018 breach where customer data was left exposed in plain text and a March 2024 ransomware attack that compromised employee data, leading to a $2.5 million settlement.
- ShinyHunters, the group responsible, has been active since at least 2020 and is known for large-scale data theft and extortion campaigns against major companies, including AT&T, Microsoft, and SoundCloud.
Quick answers
What happened in Panera Bread Breach Exposes 5.1M Customers?
Panera Bread has reported a data breach affecting 5.1 million of its customers. The extortion group ShinyHunters has claimed responsibility for the attack. Exposed data primarily includes customer contact information, highlighting ongoing risks for retail and supply chain organizations.
Why does Panera Bread Breach Exposes 5.1M Customers matter?
The attack vector was reportedly a social engineering incident involving a compromised Microsoft Entra single sign-on (SSO) code. This aligns with a broader campaign by threat actors using voice-phishing ("vishing") to trick employees into giving up their credentials and multi-factor authentication codes in real-time. Although initial claims by ShinyHunters cited 14 million records, the breach is now understood to have exposed the data of approximately 5.1 million unique customers. The data was released publicly on the dark web after Panera Bread allegedly refused the hackers' ransom demand. This is the third significant security incident for Panera in recent years, following a 2018 breach where customer data was left exposed in plain text and a March 2024 ransomware attack that compromised employee data, leading to a $2.5 million settlement. In addition to contact information like names, phone numbers, and physical addresses, lawsuits filed against the company claim the exposed data also includes customer birthdates and purchase histories. ShinyHunters, the group responsible, has been active since at least 2020 and is known for large-scale data theft and extortion campaigns against major companies, including AT&T, Microsoft, and SoundCloud. Panera is now facing at least seven lawsuits from customers who allege the company failed to implement basic security procedures to protect their data.
