Skip to main content

Panera Bread’s data leak might affect more than 37 million customers

It’s getting to the point where no matter what kind of business you conduct, there is a very real risk of seeing your personal information leaked to nefarious parties. So far, hackers have gained access to banking, credit reporting, health insurance, email, and seemingly just about every other modern circumstance where your data is saved in a database. The latest: That soup and salad you ordered online at Panera Bread might have cost you some peace of mind.

According to KrebsOnSecurity, the food chain’s website was leaking information for a minimum of eight months, specifically the names, email addresses, physical addresses, birthdays, and last four credit card numbers for customers who placed online orders. The company has more than 2,100 restaurants throughout the U.S. and Canada, and that amounts to a huge number of potentially affected accounts.

Related Videos

The leak was first brought to Panera’s attention in August 2, 2017, by security researcher Dylan Houlihan. For whatever reason, the system was only taken offline on Tuesday, April 3, leaving a full eight months during which anyone with the appropriate knowledge could have scraped off the information and used it in a variety of potentially damaging ways. As KrebsOnSecurity indicates, the database’s format is such that customers could be easily searched and identified using any of the data.

As Houlihan put it, “Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you would like, up to and including the entire database.” In Houlihan’s opinion, Panera did nothing to address the issue during the entire eight-month period.

The number of customers affected by the breach is uncertain. While Panera has stated that only 10,000 accounts were compromised and that the company requiring a valid account login to access the information would mitigate the problem, further information indicates that the number of affected customers could number in the millions. In fact, greater than 37 million customers records could be involved.

As always, if you are potentially affected by this data breach, you will want to keep a close eye on all of your credit, banking, and other activity. If you see anything suspicious, then contact the relevant companies immediately. You might also consider investing in an identity theft protection service that can help you keep an eye out for any privacy concerns.

Editors' Recommendations

This huge password manager exploit may never get fixed
A large monitor displaying a security hacking breach warning.

It’s been a bad few months for password managers -- albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.

Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.

Read more
Hack involved the data of a nation’s entire population
A depiction of a hacker breaking into a system via the use of code.

Hackers are well known to nab customer data held by companies, but obtaining the personal data of pretty much all of the residents of a single nation in one fell swoop takes the nefarious practice to a whole new level.

The remarkable feat was allegedly performed by a 25-year-old Dutch hacker who, when arrested by police, had in his possession personal data linked to pretty much every resident of Austria -- about nine million people.

Read more
If you use PayPal, your personal data may have been compromised
A person holds a mobile phone with the PayPal app open.

PayPal has recently suffered a massive data breach, and if you were one of the affected users, your details may have been leaked. Given the nature of a PayPal account, the exposed data includes some of the most sensitive information, which could put those users at risk of identity theft.

The company is taking steps to protect the accounts from further damage. Here's what we know about what happened and how to protect yourself.

Read more