Hackers publish 760GB Panera data dump; 5.1 million customers likely affected

Hacker group ShinyHunters claimed it stole roughly 14 million records from Panera Bread and published a roughly 760 GB archive on a Tor-based leak site, a release that researchers say contains about 5.1 million unique email addresses, likely representing the number of Panera customers exposed. Panera confirmed the intrusion, saying "the data involved is contact information."

Analysts at Have I Been Pwned examined the published files and counted the 5.1 million unique email addresses. The archive, which ShinyHunters issued after what researchers say was a failed extortion attempt, reportedly includes names, phone numbers, home addresses and, in some entries, account details. Panera has told investigators and the public only that contact information was accessed and has said it has notified law enforcement and taken steps to address the incident.

Security researchers and forensic posts attribute the breach to a compromise of Microsoft Entra single-sign-on credentials tied to a pattern of voice-phishing, or vishing, attacks that target SSO systems and can defeat some forms of multi-factor authentication. The attackers are reported to have used techniques that obtain authentication codes and session tokens to gain access to cloud-based software-as-a-service environments. Cory Michal, chief security officer at AppOmni, said, "This aligns closely with Okta's recent warnings about vishing-driven SSO compromise targeting Okta, Microsoft, and Google. Okta has described custom, real-time kits used during voice calls to capture credentials/session tokens and defeat non-phishing-resistant MFA across these major identity ecosystems."

The breadth of exposed contact information creates immediate risks for affected customers. Ensar Seker, chief information security officer at SOCRadar, warned, "From a defender's perspective, 5.1 million compromised accounts still represents a massive downstream risk for credential stuffing, phishing, and identity-based attacks well beyond Panera itself." Ade Clewlow, associate director and senior advisor at NCC Group, added, "The Panera Bread data breach will be devastating for those affected. Not only do affected customers run the risk of identity theft, but we know that PII [Personally Identifiable Information] is sold on to other criminal groups on the dark web who will exploit victims through social engineering. The combination of PII that has been taken, if true, poses a real risk to the victims of this hack."

ShinyHunters has said Panera was one of several companies targeted in a broader campaign that security observers link to recent intrusions affecting technology and consumer services platforms. Names cited in connection with the same campaign include Crunchbase, SoundCloud, CarMax, Bumble and Match Group. Investigators have not released a full field-level manifest of the Panera archive, and Panera has not provided a detailed technical post-mortem.

This is the latest in a string of security problems at Panera: the company faced scrutiny in 2018 for exposed customer data and confirmed a data security incident in March 2024 that disrupted online ordering and in-store systems. Last year Panera agreed to a $2.5 million settlement with affected employees. For now, security experts say customers should assume their contact information is compromised, lock or change reused passwords, enable phishing-resistant authentication where possible, and watch for targeted scams that use the stolen PII to impersonate Panera or related services.