ShinyHunters Claims Data Theft from Panera Bread via Microsoft Entra SSO Code
The extortion group ShinyHunters claimed it stole customer data from Panera Bread, alleging exfiltration of 14+ million records containing PII such as names, email and home addresses, phone numbers, and account details. Reporting indicates the attackers said Panera access was obtained using a compromised Microsoft Entra single sign-on (SSO) code, aligning with broader industry warnings about criminals stealing SSO tokens/codes via voice-phishing campaigns. Neither Panera nor Microsoft publicly confirmed details in the cited coverage, and Panera/other victims did not immediately respond to media inquiries.
ShinyHunters also asserted it holds data from CarMax (500,000+ records) and Edmunds (millions of records), but described those as stemming from earlier, unrelated intrusions; CarMax has previously been linked in reporting to a Salesforce environment compromise attributed to a ShinyHunters-associated group (Scattered Lapsus$ Hunters). Separate reporting about an 860GB Target source code leak describes a different incident (likely initiated by an infostealer on an employee workstation) and is not part of the ShinyHunters/Panera SSO-code intrusion claims.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
ShinyHunters alleges earlier intrusions at Edmunds and CarMax
The group also claimed separate earlier breaches of Edmunds and CarMax, alleging the theft of millions of Edmunds records and more than 500,000 CarMax records. Reporting noted the CarMax incident had previously been associated with a ShinyHunters-linked Salesforce-focused campaign.
ShinyHunters claims theft of 14 million Panera Bread records
ShinyHunters listed Panera Bread on its leak site and claimed it stole more than 14 million customer records, including names, phone numbers, email addresses, home addresses, and other account-related details. The group said the access came through a compromised Microsoft Entra SSO code.
ShinyHunters claims prior breaches of Crunchbase, SoundCloud, and Betterment
ShinyHunters said it had previously compromised Crunchbase, SoundCloud, and Betterment, allegedly obtaining more than 50 million records in total. Reports said the Betterment and Crunchbase access involved voice-phished Okta SSO codes.
Threat researchers identify broad ShinyHunters vishing campaign
Silent Push and Mandiant described an ongoing ShinyHunters-branded campaign using voice phishing to steal Okta, Microsoft, and Google SSO credentials. The campaign was reported to have targeted roughly 100 organizations.
Betterment discloses social-engineering incident
Betterment publicly acknowledged that on January 9, 2026, a social-engineering incident involving third-party platforms allowed an attacker to send fraudulent crypto-related messages to some customers. Reporting later linked this incident to the broader ShinyHunters-branded activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
ShinyHunters Claims 14M Panera Bread Records Exposed in Data Breach - TechRepublic
techrepublic.com
Open sourcePanera Bread, others allegedly breached by ShinyHunters | SC Media
scworld.com
Open sourceShinyHunters claims Panera Bread in alleged data theft • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Panera Bread Data Breach Linked to ShinyHunters Extortion Leak
**Panera Bread** suffered a data breach in which the **ShinyHunters** extortion group claimed to have stolen data for more than 14 million accounts, then leaked a ~**760MB** archive after Panera allegedly refused to pay. **Have I Been Pwned (HIBP)** reviewed the exposed dataset and reported it contains **~5.1 million unique email addresses**, indicating the real impact is substantially smaller than initial claims; the leaked data is described as account/contact information including **names, phone numbers, and physical addresses**. Panera has indicated the exposed data was **contact information** and said authorities were notified, while public notification to affected individuals was not yet reflected in the reporting. ShinyHunters told reporters the intrusion leveraged a **Microsoft Entra single sign-on (SSO) code**, and was tied to a broader **vishing** campaign targeting SSO accounts at major identity providers (including **Okta, Microsoft, and Google**) across **100+ organizations**. Other items in the set are unrelated: StopICE reported an attack involving abusive texts and alleged DDoS activity rather than the Panera incident, a Texas convenience-store operator (Gulshan Management Services) disclosed a separate ransomware-related data compromise affecting ~377,000 people, and a separate report described a widespread **cloud storage renewal/payment phishing** campaign.
Mar 21, 2026
Panera Bread breach reportedly exposed data on more than 5 million customers
Panera Bread is facing renewed scrutiny after reports said a customer data breach was far larger than initially understood, with more than **5 million** people allegedly affected. The incident was linked to claims by the **ShinyHunters** extortion group, which said it had stolen Panera Bread data and was offering it for sale. Reporting indicated the exposed information included customer records and other personal details, raising concerns that the breach extended well beyond earlier public estimates. The disclosures follow a broader pattern of large-scale consumer data theft from online retail and shopping platforms. In a separate case, PandaBuy disclosed a breach tied to alleged exploitation of multiple API vulnerabilities, with independent validation indicating about **1.35 million** user accounts were compromised even as attackers claimed a larger haul. The stolen PandaBuy data reportedly included names, phone numbers, email addresses, login IPs, order details, and home addresses, underscoring the risk that attackers are targeting ecommerce platforms for rich stores of customer information that can be monetized or reused in follow-on fraud.
May 25, 2026
ShinyHunters-Linked Extortion and Data Leak Claims Targeting Automotive Retailers
Data allegedly sourced from US automotive retailer **CarMax** was published online after a **failed extortion attempt**, according to a Have I Been Pwned breach entry. The exposed dataset reportedly includes **431,000 unique email addresses** along with **names, phone numbers, and physical addresses**, indicating a PII-heavy leak that could enable targeted phishing and identity-focused fraud. Separately, **CarGurus** was reported as being purportedly breached by the **ShinyHunters** hacking operation, with claims of **1.7 million corporate files** stolen and an extortion deadline tied to negotiations. The intrusion was alleged to have occurred via **single sign-on (SSO) codes obtained through voice phishing**, consistent with ShinyHunters’ prior claims of compromising other organizations using SSO-code access; CarGurus has been positioned as another extortion-driven theft where internal records and PII may be at risk of exposure.
Mar 21, 2026