Panera Bread Data Breach Linked to ShinyHunters Extortion Leak
Panera Bread suffered a data breach in which the ShinyHunters extortion group claimed to have stolen data for more than 14 million accounts, then leaked a ~760MB archive after Panera allegedly refused to pay. Have I Been Pwned (HIBP) reviewed the exposed dataset and reported it contains ~5.1 million unique email addresses, indicating the real impact is substantially smaller than initial claims; the leaked data is described as account/contact information including names, phone numbers, and physical addresses. Panera has indicated the exposed data was contact information and said authorities were notified, while public notification to affected individuals was not yet reflected in the reporting.
ShinyHunters told reporters the intrusion leveraged a Microsoft Entra single sign-on (SSO) code, and was tied to a broader vishing campaign targeting SSO accounts at major identity providers (including Okta, Microsoft, and Google) across 100+ organizations. Other items in the set are unrelated: StopICE reported an attack involving abusive texts and alleged DDoS activity rather than the Panera incident, a Texas convenience-store operator (Gulshan Management Services) disclosed a separate ransomware-related data compromise affecting ~377,000 people, and a separate report described a widespread cloud storage renewal/payment phishing campaign.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
HIBP revises Panera breach impact to 5.1 million unique accounts
Have I Been Pwned reported that the Panera breach affected about 5.1 million unique accounts, clarifying that the previously cited 14 million figure referred to total records rather than unique customers. Analysis of the leaked dataset also identified more than 26,000 email addresses likely associated with Panera employees.
Panera confirms breach to authorities and says contact information was exposed
Panera Bread reportedly notified authorities about the incident and confirmed that the compromised data involved contact information. At the time of reporting, the company had not yet issued a public breach notification or formal public statement.
Attackers say Panera access came through Microsoft Entra SSO vishing
ShinyHunters told reporters it gained initial access to Panera using a Microsoft Entra single sign-on code obtained through a voice-phishing campaign. The group said the same campaign targeted SSO accounts tied to Okta, Microsoft, and Google across more than 100 organizations.
Panera allegedly refuses extortion demand and stolen data is leaked
After an alleged extortion attempt failed, ShinyHunters leaked a roughly 760 MB archive on its data leak site. The leaked data was described as containing customer contact information and included names, email addresses, phone numbers, and physical addresses.
ShinyHunters claims Panera Bread breach affecting over 14 million records
In late January 2026, the ShinyHunters extortion group claimed it had stolen data from Panera Bread and initially said the breach involved more than 14 million records. The claim framed the incident as part of the group's broader activity against multiple organizations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Panera Bread data breach affects 5.1 million accounts, not 14 million | SC Media
scworld.com
Open sourcePanera Bread breach affected 5.1 Million accounts, HIBP Confirms
securityaffairs.com
Open sourcePanera Bread breach impacts 5.1 million accounts, not 14 million customers
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Claims Data Theft from Panera Bread via Microsoft Entra SSO Code
The extortion group **ShinyHunters** claimed it stole customer data from **Panera Bread**, alleging exfiltration of **14+ million records** containing PII such as names, email and home addresses, phone numbers, and account details. Reporting indicates the attackers said Panera access was obtained using a compromised **Microsoft Entra single sign-on (SSO) code**, aligning with broader industry warnings about criminals stealing SSO tokens/codes via **voice-phishing** campaigns. Neither Panera nor Microsoft publicly confirmed details in the cited coverage, and Panera/other victims did not immediately respond to media inquiries. ShinyHunters also asserted it holds data from **CarMax** (500,000+ records) and **Edmunds** (millions of records), but described those as stemming from **earlier, unrelated intrusions**; CarMax has previously been linked in reporting to a **Salesforce environment** compromise attributed to a ShinyHunters-associated group (**Scattered Lapsus$ Hunters**). Separate reporting about an **860GB Target source code leak** describes a different incident (likely initiated by an infostealer on an employee workstation) and is not part of the ShinyHunters/Panera SSO-code intrusion claims.
Mar 21, 2026
Panera Bread breach reportedly exposed data on more than 5 million customers
Panera Bread is facing renewed scrutiny after reports said a customer data breach was far larger than initially understood, with more than **5 million** people allegedly affected. The incident was linked to claims by the **ShinyHunters** extortion group, which said it had stolen Panera Bread data and was offering it for sale. Reporting indicated the exposed information included customer records and other personal details, raising concerns that the breach extended well beyond earlier public estimates. The disclosures follow a broader pattern of large-scale consumer data theft from online retail and shopping platforms. In a separate case, PandaBuy disclosed a breach tied to alleged exploitation of multiple API vulnerabilities, with independent validation indicating about **1.35 million** user accounts were compromised even as attackers claimed a larger haul. The stolen PandaBuy data reportedly included names, phone numbers, email addresses, login IPs, order details, and home addresses, underscoring the risk that attackers are targeting ecommerce platforms for rich stores of customer information that can be monetized or reused in follow-on fraud.
May 25, 2026
SoundCloud Data Breach Exposes 29.8 Million User Records
SoundCloud confirmed unauthorized access to an internal/ancillary service dashboard that enabled attackers to correlate **hidden email addresses** with information already visible on public SoundCloud profiles, impacting roughly **29.8 million accounts** (about **20%** of its user base). Exposed data was primarily **email addresses** plus public-profile metadata (e.g., usernames/display names, avatars, follower/following counts, and other profile statistics); SoundCloud stated **no passwords or financial data** were accessed. Users also reported service disruptions around the time of the incident, including access issues such as `403 Forbidden` errors (notably when connecting via VPN), consistent with post-incident security changes and response actions. Reporting attributed the intrusion and subsequent extortion attempt to the **ShinyHunters** group, with SoundCloud later acknowledging the actor made demands and used harassment tactics such as **email flooding**. The stolen dataset was subsequently leaked and then added to *Have I Been Pwned* for exposure checking, increasing downstream risk of targeted phishing and account-takeover attempts via credential stuffing on other services where users may have reused emails as identifiers. Separate contemporaneous claims by ShinyHunters against other companies (e.g., Panera Bread, CarMax, Edmunds) were reported but are distinct from the confirmed SoundCloud incident and include different alleged access vectors (e.g., stolen SSO codes).
Mar 21, 2026