What Happened
In January 2026, Panera Bread (panerabread.com) suffered a major data breach attributed to the cybercrime group ShinyHunters, who gained unauthorized access via a compromised Microsoft Entra single sign-on (SSO) code, likely obtained through voice phishing (vishing) tactics targeting employees. The attackers stole personal identifiable information (PII) from approximately 5.1 million unique customer accounts—including names, email addresses, phone numbers, and physical addresses—along with data from over 26,000 employees, though Panera confirmed only contact information was exposed with no financial or login credentials compromised; ShinyHunters initially claimed 14 million records and published a 760 MB archive on their dark web site on January 27, 2026, after Panera refused extortion demands. The breach exploited weak authentication and insecure APIs, was added to Have I Been Pwned on January 31, 2026, and prompted Panera to notify authorities, enhance security measures like API rate limiting and monitoring, and face class-action lawsuits alleging negligence, especially given prior incidents in 2018 and 2024.
