Panera Bread breach reportedly exposed data on more than 5 million customers
Panera Bread is facing renewed scrutiny after reports said a customer data breach was far larger than initially understood, with more than 5 million people allegedly affected. The incident was linked to claims by the ShinyHunters extortion group, which said it had stolen Panera Bread data and was offering it for sale. Reporting indicated the exposed information included customer records and other personal details, raising concerns that the breach extended well beyond earlier public estimates.
The disclosures follow a broader pattern of large-scale consumer data theft from online retail and shopping platforms. In a separate case, PandaBuy disclosed a breach tied to alleged exploitation of multiple API vulnerabilities, with independent validation indicating about 1.35 million user accounts were compromised even as attackers claimed a larger haul. The stolen PandaBuy data reportedly included names, phone numbers, email addresses, login IPs, order details, and home addresses, underscoring the risk that attackers are targeting ecommerce platforms for rich stores of customer information that can be monetized or reused in follow-on fraud.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Reports say Panera Bread breach affected over 5 million customers
Follow-up reporting said the alleged Panera Bread data breach was more serious than initially understood, with more than 5 million customers reportedly impacted. This represented an escalation in the reported scale of the incident.
ShinyHunters claims Panera Bread customer data theft
A report said the ShinyHunters cybercrime group claimed to have stolen Panera Bread customer data. The claim marked the public emergence of an alleged Panera Bread breach incident.
Have I Been Pwned verified PandaBuy breach data
Troy Hunt validated the leaked PandaBuy dataset by initiating password reset requests and confirming 1,348,407 valid PandaBuy-linked email addresses. This provided independent confirmation that the exposed data was authentic.
PandaBuy data leak exposed about 1.35 million accounts
Attackers allegedly exploited multiple PandaBuy API vulnerabilities and other bugs to steal customer data including names, phone numbers, email addresses, addresses, order details, and login IPs. Threat actor Sanggiero, reportedly working with IntelBroker, claimed the theft affected more than 3 million users, but validation indicated roughly 1,348,407 accounts were compromised.
PandaBuy says older breach had already been remediated
After reports of a PandaBuy data breach surfaced, company representatives said on Discord that the incident was older and had already been fixed. No formal public statement had been published at that time.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Panera Bread data breach much more serious than we thought - over 5 million customers were hit, new reports claim | TechRadar
techradar.com
Open sourceShinyHunters claims Panera Bread in alleged data theft
theregister.com
Open sourceChinese ecommerce giant PandaBuy hit by cyberattack, data breach | TechRadar
techradar.com
Open sourceShopping platform PandaBuy data leak impacts 1.3 million users
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Panera Bread Data Breach Linked to ShinyHunters Extortion Leak
**Panera Bread** suffered a data breach in which the **ShinyHunters** extortion group claimed to have stolen data for more than 14 million accounts, then leaked a ~**760MB** archive after Panera allegedly refused to pay. **Have I Been Pwned (HIBP)** reviewed the exposed dataset and reported it contains **~5.1 million unique email addresses**, indicating the real impact is substantially smaller than initial claims; the leaked data is described as account/contact information including **names, phone numbers, and physical addresses**. Panera has indicated the exposed data was **contact information** and said authorities were notified, while public notification to affected individuals was not yet reflected in the reporting. ShinyHunters told reporters the intrusion leveraged a **Microsoft Entra single sign-on (SSO) code**, and was tied to a broader **vishing** campaign targeting SSO accounts at major identity providers (including **Okta, Microsoft, and Google**) across **100+ organizations**. Other items in the set are unrelated: StopICE reported an attack involving abusive texts and alleged DDoS activity rather than the Panera incident, a Texas convenience-store operator (Gulshan Management Services) disclosed a separate ransomware-related data compromise affecting ~377,000 people, and a separate report described a widespread **cloud storage renewal/payment phishing** campaign.
Mar 21, 2026
ShinyHunters Claims Data Theft from Panera Bread via Microsoft Entra SSO Code
The extortion group **ShinyHunters** claimed it stole customer data from **Panera Bread**, alleging exfiltration of **14+ million records** containing PII such as names, email and home addresses, phone numbers, and account details. Reporting indicates the attackers said Panera access was obtained using a compromised **Microsoft Entra single sign-on (SSO) code**, aligning with broader industry warnings about criminals stealing SSO tokens/codes via **voice-phishing** campaigns. Neither Panera nor Microsoft publicly confirmed details in the cited coverage, and Panera/other victims did not immediately respond to media inquiries. ShinyHunters also asserted it holds data from **CarMax** (500,000+ records) and **Edmunds** (millions of records), but described those as stemming from **earlier, unrelated intrusions**; CarMax has previously been linked in reporting to a **Salesforce environment** compromise attributed to a ShinyHunters-associated group (**Scattered Lapsus$ Hunters**). Separate reporting about an **860GB Target source code leak** describes a different incident (likely initiated by an infostealer on an employee workstation) and is not part of the ShinyHunters/Panera SSO-code intrusion claims.
Mar 21, 2026
BigBasket User Database Offered on Dark Web and Later Leaked for Free
Indian online grocer **BigBasket** was linked to a major data exposure after a threat actor advertised a database allegedly containing details of roughly **20 million users** for sale on the dark web. Reporting said the records included customer information such as names, email addresses, phone numbers, physical addresses, dates of birth, password hashes, and IP addresses, raising concerns about follow-on phishing, account takeover, and identity fraud affecting a large portion of the company’s customer base. The incident later escalated when the same alleged **BigBasket** dataset was reportedly released for free, making the information broadly accessible rather than limited to a private sale. The leak significantly increased the potential impact of the breach by lowering the barrier for cybercriminals to reuse the data in credential attacks and targeted scams, while intensifying scrutiny of the company’s security posture and breach response.
May 25, 2026