Panera Bread Breach: 5.1 Million Accounts Compromised in SSO Attack

Panera Bread has confirmed a data breach affecting approximately 5.1 million customer accounts after an extortion attempt by the ShinyHunters cybercrime group failed. The breach, which occurred in January 2026, exposed personal information including names, phone numbers, physical addresses, and email addresses of Panera Bread users.

Breach Scale and Impact

The popular U.S. bakery-cafe chain, founded in 1987 and operating nearly 2,300 locations across 48 states and Ontario, Canada, initially faced reports suggesting 14 million customers were affected. However, data breach notification service Have I Been Pwned clarified that this number represented records stolen during the attack, with only 5.1 million unique email addresses among the compromised data.

BleepingComputer's analysis of the leaked data revealed that the 14 million records contain personal information for roughly 5,120,000 unique user accounts. This discrepancy suggests that some individuals may have multiple accounts, or that the stolen dataset included duplicate or incomplete records.

The breach also impacted Panera Bread employees, with BleepingComputer identifying over 26,000 unique panerabread.com email addresses in the leaked data, indicating that staff PII was also compromised.

Attack Methodology

ShinyHunters claimed they gained access to Panera's systems through a Microsoft Entra single sign-on (SSO) code. This attack was part of a broader vishing (voice phishing) campaign targeting SSO accounts at major providers including Okta, Microsoft, and Google across more than 100 high-profile organizations.

Vishing attacks typically involve social engineering techniques where attackers impersonate legitimate entities over phone calls or voice messages to trick employees into revealing credentials or granting access to secure systems. In this case, the attackers successfully compromised Panera Bread's SSO infrastructure, providing them with access to customer databases and internal systems.

Extortion and Data Exposure

Following the breach, ShinyHunters attempted to extort Panera Bread, demanding payment in exchange for not publishing the stolen data. When the company did not comply with their demands, the group published approximately 760 MB of documents on their dark web leak site.

"These files were leaked on the ShinyHunters DLS because the victim did not pay a ransom or cooperate and comply with the ShinyHunters group," the extortion gang stated in a text file accompanying the leaked archive.

Company Response and Previous Incidents

While Panera Bread has not yet filed formal data breach notifications or issued a comprehensive public statement about the January 2026 incident, the company has notified authorities and confirmed the breach. In their communication, Panera stated that "the data involved is contact information," suggesting that financial data and payment information were not compromised.

This is not Panera Bread's first encounter with cybersecurity incidents. In June 2024, the company notified employees of a separate data breach after threat actors stole personal information during a March 2024 ransomware attack that caused a nationwide IT outage.

Broader Context of ShinyHunters Activity

The Panera Bread breach is part of a larger wave of attacks attributed to ShinyHunters. The group has claimed responsibility for several high-profile breaches in recent months:

• Match Group: The online dating giant, which owns Tinder, Match.com, Hinge, Meetic, and OkCupid, confirmed a breach affecting its platforms. ShinyHunters leaked 1.7 GB of compressed files allegedly containing internal documents and approximately 10 million user records from Hinge, OkCupid, and Match.

• SoundCloud: The audio streaming platform confirmed a ShinyHunters attack in December 2025 following widespread reports of users encountering 403 "Forbidden" errors when connecting via VPN. The breach affected 29.8 million accounts, according to Have I Been Pwned.

Security Implications and Recommendations

This breach highlights several critical security concerns for organizations:

1. SSO Vulnerabilities: The attack demonstrates how compromising single sign-on systems can provide attackers with broad access to multiple services and databases. Organizations should implement additional security layers beyond SSO, including multi-factor authentication and regular security audits.

2. Vishing Defense: The success of this vishing campaign underscores the need for comprehensive employee training on social engineering tactics. Organizations should conduct regular phishing simulations and establish clear protocols for verifying the identity of individuals requesting access or credentials.

3. Data Minimization: The breach exposed contact information for millions of customers, raising questions about data retention policies. Companies should regularly review what customer data they collect and store, retaining only what is necessary for business operations.

4. Incident Response: Panera Bread's experience illustrates the importance of having a robust incident response plan that includes clear communication strategies for customers and stakeholders when breaches occur.

What Affected Customers Should Do

Customers whose data was compromised in this breach should take the following steps:

• Monitor Accounts: Watch for suspicious activity on any accounts associated with the compromised email addresses, particularly on Panera Bread's platform.

• Change Passwords: Update passwords for Panera Bread accounts and any other accounts using the same or similar passwords.

• Enable Multi-Factor Authentication: If available, enable MFA on all accounts to add an extra layer of security.

• Be Vigilant for Phishing: Expect an increase in phishing attempts using the stolen personal information. Be cautious of unsolicited communications claiming to be from Panera Bread or other organizations.

• Credit Monitoring: While financial data doesn't appear to have been compromised, consider credit monitoring services as a precaution against potential identity theft.

As data breaches continue to affect major corporations, this incident serves as a reminder that even well-established companies with significant security resources remain vulnerable to sophisticated cyber attacks. The combination of social engineering tactics and technical vulnerabilities in SSO systems presents a formidable challenge for organizations seeking to protect customer data.