breach could have impacted millions breach could have impacted millions

Customers who signed up for a account in order to order fast-casual baked goods may want to guard their dough. Security researcher Brian Krebs reported yesterday that the website for the bakery chain leaked millions of customer records, including names, emails, physical addresses, birthdays, and the last four digits of customers’ credit card numbers.

Until Monday, millions of customer data points were accessible on the site as plain text—an oversight that Krebs maintains left data exposed for at least eight months. While Panera was contacted by security researcher Dylan Houlihan back in August 2017 about the leak, it appears they did not take action to fix it, despite reassurances they were working on a resolution.

Once Krebs notified Panera about the breach, the company took its website offline for a brief period of time. When the site came back online, the customer data was no longer available.

Panera issued statements to the press that they moved to fix the breach hours after Krebs reached out to them, though they didn’t address the eight-month gap in action from their first notification. In addition, they stated that only 10,000 customer records were exposed, though researcher HoldSecurity claims it’s more like 37 million.

While this story is still developing, we urge our readers to take necessary precautions to protect their data. An unprecedented season of breaches in 2017 gave way to more breach discoveries in early 2018, with companies such as Orbitz, Lord & Taylor/Saks Fifth Avenue, and MyFitnessPal collectively exposing more than 155 million users.

Recognize that while the flood of data breaches in itself is alarming, we still haven’t seen the full potential for the consequences of giving such valuable data freely to the black market. As tax season comes to a close, for example, we may be poised for a deluge of fraudulent claims and identity theft as criminals try to cash in on their data. Because of this, we suggest taking similar steps as after the Equifax breach, which includes monitoring credit reports, staying on high alert for email, phone, or text scams, and enabling alerts on your accounts.

The more we see infringements of the size and proportion of the breach, the more we caution users to just assume their data has been compromised. Right now, the best we can do—until companies buckle down harder on security and privacy protocols—is to caution everyone to protect their data from being used to harm them.

Stay safe, everyone.


Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.