U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Panera Bread breach affected 5.1 Million accounts, HIBP Confirms

Have I Been Pwned says Panera Bread ’s breach affected 5.1 million accounts, far fewer than the 14 million customers first reported. Have I Been Pwned followed claims by the ShinyHunters gang, which said it stole data from over 14 million Panera Bread accounts. After Panera refused to pay, the group leaked a 760MB archive […]

Xsolis

Have I Been Pwned says Panera Bread ’s breach affected 5.1 million accounts, far fewer than the 14 million customers first reported.

Have I Been Pwned followed claims by the ShinyHunters gang, which said it stole data from over 14 million Panera Bread accounts. After Panera refused to pay, the group leaked a 760MB archive on its data leak site. ShinyHunters said it accessed Panera’s systems using a Microsoft Entra SSO code as part of a broader vishing campaign targeting SSO accounts at major identity providers across more than 100 organizations.

“In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses.” reported HIBP. “Panera Bread subsequently confirmed that “the data involved is contact information” and that authorities were notified.”

BleepingComputer confirmed that roughly 5,120,000 accounts were impacted, adding that the number of affected users may be lower since individuals may have used more than one account.

At this time, Panera confirmed the breach to authorities, saying the exposed data was contact information, but has not yet issued public notifications.

Panera Bread is a U.S.-based bakery-café chain known for bread, sandwiches, soups, salads, and coffee. Founded in 1987, it operates thousands of locations and focuses on fast-casual dining with dine-in, takeout, and delivery options.

In April 2018, the popular journalist and cyber investigator Brian Krebs revealed that the Panera Bread’s website leaked millions of customer records, including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number, for at least eight months before it was taken offline.

Panera Bread exposed the data at least for eight months after the company was first notified of the data leak.

The company also exposed customer’s Panera loyalty card number, which could be used by scammers to spend prepaid accounts or to steal value from Panera customer loyalty accounts.

The disconcerting aspect of the story is that the issue was first notified to Panera Bread by the security researcher Dylan Houlihan on August 2, 2017.

The experts reported that in a first time the IT staff did not acknowledge the flaw, but after further investigation, the director of information technology Mike Gustavison told to the expert that the issue was fixed.

Houlihan verified that the issue was not fixed and on April 2nd, 2018, reported it to Brian Krebs.

Panera told Fox Business that the data leak affected only about 10,000 records, but experts at Hold Security estimated that the number of affected accounts is approximately 37 million.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)