The ShinyHunters cybercrime group alleges compromising over 14 million records from Panera Bread through Microsoft Entra SSO vulnerabilities, alongside breaches at CarMax and Edmunds, continuing their pattern of identity-focused attacks.
Cybercriminals operating under the ShinyHunters banner have claimed responsibility for significant data breaches affecting Panera Bread, CarMax, and Edmunds, exposing millions of customers' personal information through compromised single sign-on (SSO) systems. The attacks highlight growing vulnerabilities in cloud identity management platforms used by major corporations.
Breach Details and Data Exposure
According to ShinyHunters' claims verified by multiple security researchers, the group accessed:
- Panera Bread: 14 million records containing names, email addresses, physical addresses, phone numbers, and account details (760 MB compressed data)
- CarMax: 500,000 customer records including personally identifiable information (1.7 GB compressed)
- Edmunds: Millions of vehicle review records (12 GB compressed)
The attackers specifically stated they gained access to Panera's systems through a compromised Microsoft Entra (formerly Azure Active Directory) SSO implementation. For CarMax and Edmunds, the breaches appear unrelated to the Panera intrusion but follow similar patterns of credential theft.
Attack Methodology and SSO Vulnerabilities
Security researchers at Mandiant and Silent Push confirm ShinyHunters is employing sophisticated voice-phishing (vishing) techniques targeting IT helpdesks:
- Attackers impersonate corporate IT staff via phone
- Victims are directed to fake SSO login pages mimicking legitimate services
- Real-time phishing kits capture credentials and bypass multi-factor authentication (MFA)
This approach mirrors previous attacks against Crunchbase and Betterment where ShinyHunters used similar methods to compromise Okta SSO implementations. Last week, Okta issued warnings about these evolving identity-focused attacks targeting cloud authentication systems.
Compliance Implications
Under data protection regulations:
- GDPR (EU): Companies must notify authorities within 72 hours of discovering breaches affecting EU citizens
- CCPA (California): Requires disclosure to affected California residents within 45 days
- Potential fines: Up to 4% of global turnover under GDPR, $2,500-$7,500 per violation under CCPA
Affected companies face significant compliance challenges given the scale of exposed personally identifiable information (PII). Neither Panera Bread, CarMax, nor Edmunds have issued official statements as of publication time.
Broader Campaign Patterns
Security firm Silent Push published a list of nearly 100 organizations potentially targeted in this campaign, with researchers noting:
"We've detected active targeting or infrastructure preparation directed at your domain in the last 30 days"
- Zach Edwards, Silent Push Senior Threat Researcher
Charles Carmakal, Mandiant Consulting CTO, confirmed to The Register that this represents a "new, ongoing ShinyHunters-branded campaign" specifically focused on identity infrastructure compromise.
User Protection Recommendations
Consumers potentially affected should:
- Reset passwords on all accounts using the same credentials
- Enable MFA using authenticator apps rather than SMS
- Monitor credit reports for suspicious activity
- Beware of phishing attempts referencing the breaches
Organizations using cloud identity providers like Microsoft Entra, Okta, or Google Workspace should implement:
- Phishing-resistant authentication methods
- Strict verification protocols for helpdesk interactions
- Continuous monitoring of SSO access patterns
The breaches underscore critical vulnerabilities in widely adopted cloud identity systems that serve as central authentication points for multiple enterprise applications. As attackers increasingly target these systems, companies must balance user convenience with robust identity verification controls.
Comments
Please log in or register to join the discussion