Panera Bread Breach Exposes 5.1M Customers

- The attack vector was reportedly a social engineering incident involving a compromised Microsoft Entra single sign-on (SSO) code. This aligns with a broader campaign by threat actors using voice-phishing ("vishing") to trick employees into giving up their credentials and multi-factor authentication codes in real-time. - Although initial claims by ShinyHunters cited 14 million records, the breach is now understood to have exposed the data of approximately 5.1 million unique customers. The data was released publicly on the dark web after Panera Bread allegedly refused the hackers' ransom demand. - This is the third significant security incident for Panera in recent years, following a 2018 breach where customer data was left exposed in plain text and a March 2024 ransomware attack that compromised employee data, leading to a $2.5 million settlement. - In addition to contact information like names, phone numbers, and physical addresses, lawsuits filed against the company claim the exposed data also includes customer birthdates and purchase histories. - ShinyHunters, the group responsible, has been active since at least 2020 and is known for large-scale data theft and extortion campaigns against major companies, including AT&T, Microsoft, and SoundCloud. - Panera is now facing at least seven lawsuits from customers who allege the company failed to implement basic security procedures to protect their data.