Panera Bread has confirmed a significant data breach that has exposed the personal information of millions of its customers. The incident, initially claimed by the hacking group ShinyHunters to have affected 14 million accounts, has now been clarified to impact approximately 5.1 million unique individuals. The compromised data includes contact details, raising concerns about potential identity theft and phishing attacks.

Key Takeaways

• 5.1 Million Accounts Affected: While initial claims suggested 14 million customers were impacted, investigations indicate the breach compromised data for approximately 5.1 million unique Panera Bread accounts.

• Personal Information Exposed: The stolen data includes names, email addresses, phone numbers, and physical addresses.

• Attack Vector: Hackers reportedly gained access through a Microsoft Entra single sign-on (SSO) vulnerability, part of a broader voice-phishing campaign.

• Extortion Attempt Failed: ShinyHunters leaked the data after Panera Bread refused to comply with an extortion demand.

• Previous Security Lapses: This is not the first time Panera Bread has faced security issues, with a similar incident occurring in 2018.

Details of the Breach

The cybersecurity incident at Panera Bread came to light when the hacking group ShinyHunters claimed to have stolen millions of customer records. Initially, the group asserted that over 14 million customer records were compromised. However, analysis by data breach notification service Have I Been Pwned? (HIBP) and other security researchers suggests that the actual number of unique individuals affected is closer to 5.1 million. The compromised data includes names, email addresses, phone numbers, and physical addresses.

How the Attack Occurred

ShinyHunters has claimed that they gained access to Panera Bread's systems through a vulnerability in Microsoft Entra single sign-on (SSO). This method aligns with recent warnings from security firms about an increase in voice-phishing (vishing) attacks targeting SSO platforms. These attacks often involve tricking employees into approving authentication requests or entering credentials on fake login pages, allowing attackers to bypass security measures.

The Aftermath and Legal Repercussions

Following the breach, ShinyHunters published a large archive of the stolen data on its leak site after an attempted extortion failed. The exposure of this personal information has led to multiple class-action lawsuits being filed against Panera Bread, alleging that the company failed to adequately protect customer data. These lawsuits seek damages and improved security measures for affected customers.

Panera Bread's History of Security Issues

This incident is not the first time Panera Bread has experienced a significant data security lapse. In 2018, a cybersecurity researcher discovered that the company had left millions of customer records exposed online. This past event, along with the current breach, highlights ongoing challenges in securing large-scale customer data.

Protecting Yourself

Customers affected by the breach are advised to take several steps to protect themselves:

• Change Passwords: Immediately change the password for your Panera Bread account and any other accounts where you may have reused the same password.

• Enable Two-Factor Authentication (2FA): Activate 2FA on all online accounts, especially email and financial services.

• Be Wary of Phishing: Exercise caution with unsolicited emails, messages, or calls, as attackers often follow breaches with targeted phishing attempts.

• Monitor Accounts: Keep a close eye on your financial accounts and credit reports for any suspicious activity.

• Consider Identity Theft Protection: Services that monitor for identity theft can provide an extra layer of security.

Sources

• Panera Bread confirms data breach exposed customer contact information, Fox News.

• Panera Bread breach impacts 5.1 million accounts, not 14 million customers, BleepingComputer.

• Panera Bread data breach exposed personal info of 5.1 million customers, CyberInsider.

• Panera Bread data breach much more serious than we thought - over 5 million customers were hit, new reportsclaim, TechRadar.

• Panera Bread breach affected 5.1 Million accounts, HIBP Confirms, Security Affairs.