Panera Bread data breach exposes 5.1 million customers

NEWNow you can listen to News articles!

Another major consumer brand has joined the growing list of companies affected by serious data breaches. Panera Bread has confirmed a cybersecurity incident after hacking group ShinyHunters claimed to have stolen millions of customer records.

The breach exposes a wide range of personal data, raising real concerns for anyone who has placed an order, created an account or shared contact information with the popular bakery chain.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

SUBSTACK DATA BREACH EXPOSES EMAILS AND PHONE NUMBERS

Panera Bread confirmed a data breach after hackers claimed to have stolen millions of customer records containing contact information. (AP Photo)

What happened in the Panera Bread data breach?

ShinyHunters added Panera Bread to its data breach site earlier this year, initially claiming it had stolen more than 14 million customer records. According to the group, the stolen data includes names, email addresses, phone numbers, home addresses and account-related information.

Panera Bread has since confirmed a cybersecurity incident. In a statement to media, the company described the exposed data as customer “contact information” and said it contacted authorities and took steps to address the incident. Panera has not shared technical details about how the attack occurred or whether customers should take specific actions.

Even “contact information” can be dangerous in the wrong hands. When combined, these details can be used for identity theft, spear phishing, and very convincing social engineering scams.

ShinyHunters claims that attackers accessed Panera systems through Microsoft Sign-in single sign-on (SSO). While Panera has not confirmed that claim, it closely reflects Okta’s recent warnings about an increase in voice phishing attacks targeting SSO platforms.

In these attacks, criminals impersonate IT or help desk staff and call employees directly. They pressure targets to approve authentication requests or enter login credentials on fake SSO pages. Once attackers capture session tokens or credentials, they can bypass some forms of multi-factor authentication and move laterally through enterprise systems. This approach relies on human trust rather than technical feats, making it increasingly effective.

How many people were really affected?

At first glance, claims that 14 million customers were affected suggested a huge breach. However, the researchers at Have I Been Pwned? He later clarified that the attackers stole 14 million records, not data linked to 14 million unique individuals.

After reviewing the leaked data set, researchers now estimate that the breach affected approximately 5.1 million unique people. The exposed information includes email addresses along with associated names, phone numbers, and physical addresses.

That distinction is important, but it does not eliminate risk. Once stolen data is made public, it can quickly spread through criminal forums and be reused for years.

149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIALS LEAK

Hacker group ShinyHunters leaked stolen Panera customer data online after an extortion attempt failed. (Panera Bread)

The hackers leaked the data after the extortion failed.

ShinyHunters reportedly attempted to extort Panera Bread before publishing the stolen data. When those efforts failed, the group posted a 760MB file containing millions of customer records to its leak site.

This reflects a broader shift in cybercrime. Instead of locking down systems with ransomware, many groups are now focused on quietly stealing data and threatening public exposure. These attacks are faster, harder to detect, and often just as profitable.

ShinyHunters has used similar tactics in other high-profile incidents involving Bumble, Match Group, Crunchbase, and other consumer platforms.

Lawsuits filed after Panera breach disclosure

The violation has already caused legal consequences. Multiple class-action lawsuits have been filed in U.S. federal court, alleging that Panera failed to adequately protect customer data.

The lawsuits claim Panera knew or should have known about the security weaknesses and seeks damages, improved security practices and long-term identity theft protection for affected customers. Panera has not commented publicly on the litigation.

A worrying pattern for Panera Bread

This is not Panera Bread’s first major security breach. In 2018, a cybersecurity researcher revealed that Panera had left millions of customer records exposed online in plain text. That incident later led to lawsuits and settlements.

Repeat violations often point to deeper challenges. Large organizations may struggle to secure cloud services, identity systems, and employee access at scale. When attackers target identity platforms rather than infrastructure, a single error can expose millions of records.

We reached out to Panera Bread for comment but did not hear back by deadline.

GRUBHUB CONFIRMS DATA BREACH AMID EXTORTION CLAIMS

Exposed contact data, such as names, emails, and addresses, can fuel phishing and identity theft scams long after a breach becomes public. (Donato Fasano/Getty Images)

7 steps you can take to protect yourself after the Panera data breach

When a major consumer brand suffers a breach, customers often don’t realize the risk until weeks or months later. These steps help limit what attackers can do with your information if your Panera data falls into the wrong hands.

1) Use a unique, strong password for each account

If you have ever created a Panera Bread account, reset your password immediately. If you reused that password elsewhere, those accounts are now at risk as well. Attackers routinely test breached passwords on email, shopping, and banking sites.

A password manager helps you generate strong, unique passwords for each account and store them securely so you never need to reuse credentials. Many password managers also alert you if your email or passwords show up in known data breaches, giving you an early warning to lock things down quickly.

Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

2) Enable two-factor authentication (2FA) whenever possible

Two-factor authentication (2FA) adds a second step to the login process, usually through an app or device that you control. Even if someone obtains your password through phishing or a breach, 2FA makes it much more difficult for them to access your account.

3) Be careful with phishing messages

Cybercriminals often follow up breaches with fake emails or in-app messages purporting to offer help or security updates. Always check the sender and avoid clicking on links. If in doubt, open the app or website directly instead of replying to the message. Using powerful antivirus software adds another layer of protection by flagging malicious links and blocking known threats before they can cause harm. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

4) Limit the personal data you share

When names, email addresses, phone numbers, and physical addresses are exposed, identity theft becomes a real risk. Identity theft protection services monitor your personal information, alert you if it appears on the dark web, and monitor attempts to open new accounts in your name.

If something goes wrong, these services often include recovery support to help freeze accounts, dispute fraud, and guide you through the cleanup process.

See my tips and best options on how to protect yourself from identity theft at Cyberguy.com.

5) Reduce your digital footprint with a data erasure service

Scammers don’t rely solely on one violation. They combine leaked data with information from data broker sites to create detailed profiles. Data removal services help remove your phone number, home address, and other personal data from hundreds of these sites.

While no service can erase everything, reducing what’s publicly available makes it much harder for criminals to target you with compelling scams or identity fraud. This is one of the most effective long-term ways to reduce risk after any major breach.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.

6) Secure your email account

Your email account controls password resets for most services. Protect it with a strong password and 2FA. Periodically review your login activity and recovery settings, so attackers can’t use your email to take over other accounts.

7) Watch for account changes after breach news

Not all violations lead to immediate account takeovers. In some cases, attackers silently test access weeks later. That’s why it’s important to stay alert after breach reports. Be on the lookout for password reset emails you didn’t request, cam profile bios that you didn’t make or new messages that you didn’t send. Unexpected logouts or security alerts are also red flags. If you notice anything unusual, change your password immediately and review your security settings.

Kurt’s Key Takeaway

The Panera Bread data breach is another reminder that even well-known brands can become major cyber targets. While Panera says only contact information was exposed, that data is often enough to fuel scams and identity theft long after the headlines are gone. Staying proactive after news of leaks is now part of protecting your digital life.

Do you still trust big brands to protect your personal information, or have repeated breaches changed the amount of data you’re willing to share? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE News APP

Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.

Breaking News

Adult ADHD stimulant prescriptions are surging, and doctors are raising concerns

Afghan Dad Who Fought Alongside U.S. Military Dies Hours Into ICE Custody

Susie Wiles Has Been Diagnosed With Early Stage Breast Cancer, Trump Says

Trump Throws A Fit Over Supreme Court

Global Energy Crisis Fears Rise As Iran Keeps Stranglehold On Shipping And Hits Dubai Airport

Israel Says It Killed Iran

Team USA players received game-used Olympic hockey jerseys for the World Baseball Classic final against Venezuela

Oregon star Dante Moore writes letter to governor advocating for access to mental health services

Former NHL star criticizes Rangers organization for hosting pride night

Alabama ‘preparing to play’ NCAA tournament without star guard Aden Holloway after felony drug arrest