Cyber Incident Victim: Panera Bread
Date:
Jan 2026
Location:
United States of America
Summary
Hackers associated with the ShinyHunters extortion group leaked approximately 5.1 million customer records following unsuccessful ransom demands against the bakery-cafe chain. The attackers compromised a Microsoft Entra single-sign-on system using voice phishing tactics, enabling unauthorized access to cloud-based SaaS environments and the theft of 14 million records. Exposed data included email addresses, names, physical addresses, and phone numbers, posing significant downstream risks for credential stuffing and phishing attacks. The group has escalated similar vishing-driven campaigns targeting SSO configurations and help-desk social engineering across multiple sectors. The victim organization acknowledged the intrusion, confirming the theft of contact information but provided no further details regarding mitigation or investigation progress.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2026, hackers associated with the ShinyHunters extortion group leaked approximately 5.1 million Panera Bread customer records following an unsuccessful extortion attempt against the company. The group claimed responsibility for stealing roughly 14 million records by compromising a Microsoft Entra single-sign-on (SSO) code, leveraging voice phishing (vishing) tactics to bypass multi-factor authentication (MFA) and gain access to Panera’s cloud-based SaaS environments. The attackers published a 760GB data archive on their Tor-based leak site, which contained unique email addresses, names, physical addresses, and phone numbers of affected customers. Panera Bread confirmed the intrusion to Reuters, acknowledging the theft of customer "contact information" but did not disclose further technical details or respond to SecurityWeek’s inquiries. The breach notification service Have I Been Pwned linked the leak directly to the failed extortion effort, noting the dataset’s potential to facilitate credential stuffing, phishing, and identity-based attacks against impacted individuals.
The incident reflected ShinyHunters’ escalating pattern of vishing-driven SSO compromises targeting organizations across multiple sectors, including recent breaches at Betterment, Crunchbase, and SoundCloud. The group’s methodology centered on social engineering attacks against corporate help desks to obtain SSO authentication codes, enabling unauthorized access to SaaS platforms without exploiting technical vulnerabilities. SOCRadar CISO Ensar Seker characterized the attack as indicative of evolving threats to identity-centric security perimeters, emphasizing SSO misconfigurations, MFA fatigue, and help-desk social engineering as critical attack vectors. Panera’s breach exposed systemic risks associated with trusted authentication flows, as the leaked customer data provided attackers with extensive reconnaissance material for downstream exploitation. While Panera did not disclose containment measures or system recovery actions, the public release of the data archive confirmed the operational failure to prevent the leak after initial intrusion. The 5.1 million unique email addresses represented the confirmed impact scope, though ShinyHunters’ broader claim of 14 million records remained unverified by independent sources at the time of reporting.