Earlier this week, the hacker group ShinyHunters confirmed their involvement in a significant data breach at Panera Bread, which led to the theft of over 14 million customer records. The stolen information includes personal details like names, email addresses, phone numbers, home addresses, and account data. Panera Bread has acknowledged the breach and described the compromised data as “contact information” in a statement to Bloomberg. The company also revealed that it has notified law enforcement and is taking steps to resolve the incident.
Cybersecurity experts, including Ade Clewlow from NCC Group, have warned that the breach could have serious consequences for affected customers. “The Panera Bread data breach will be devastating,” Clewlow said, emphasizing the risks of identity theft and how personally identifiable information (PII) is often sold on the dark web, where cybercriminals can use it for social engineering attacks.
According to ShinyHunters, they gained access to Panera Bread’s database by exploiting a Microsoft Entra single sign-on (SSO) code. This method of attack mirrors recent warnings issued by Okta, a similar platform that provides SSO services. Okta cautioned about rising voice phishing (or “vishing”) attacks, where attackers pose as IT workers to trick targets into revealing their login credentials on fake websites that mimic legitimate SSO platforms.
Cory Michal, CSO at security firm AppOmni, linked this attack to Okta’s warning, stating that such vishing campaigns are being used to bypass traditional multi-factor authentication (MFA) security measures. These types of attacks can capture sensitive login information in real-time, making it easier for hackers to compromise systems without relying on phishing-resistant MFA.
This isn’t Panera Bread’s first security breach. In 2018, the company faced backlash after millions of customers’ personal data was exposed in plain text on its website. Michal pointed out that this ongoing pattern of data breaches highlights the difficulties large organizations face in securing their systems at scale, particularly when it comes to SaaS and identity security.
ShinyHunters has previously claimed responsibility for breaches at other high-profile companies, including Bumble, Match, and CrunchBase. They’ve also posted stolen data from platforms like CarMax, with an affiliated group, Scattered LAPSUS$ Hunters, taking credit for some of those breaches.
Tim Rawlins, a senior adviser at NCC Group, urged companies to take a more proactive approach to cybersecurity. He highlighted the risks of social engineering tactics, like attackers posing as helpdesk staff to gain access to sensitive information, and recommended improving staff awareness and implementing phishing-resistant MFA as key defenses against these types of attacks.