Panera Bread Leaked Customer Information Online For 8 Months, Report Says

Panera Bread's website has allegedly leaked millions of customer records. According to a new report by KrebsOnSecurity, that information includes names, email addresses, physical addresses, birthdays, loyalty card numbers, and the last four digits of credit cards. The data reportedly appeared in plain text on Panera's website and is assumed to belong to customers who have signed up for an account to order takeout or catering online at panerabread.com.

The finding was allegedly reported to Panera's director of information security, Mike Gustavison, by security researcher Dylan Houlihan in August of 2017. A screenshot of an email conversation indicates that Gustavison acknowledged Houlihan's message on August 9, but eight months went by before the records were wiped from the bakery chain's site on April 2 — several hours after KrebsOnSecurity reached out to Panera about the breach.

"Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you'd like, up to and including the entire database," Houlihan told KrebsOnSecurity, adding that he'd been checking up on the issue for months to no avail.

In an interview with Fox Business, Panera Bread's chief information officer, John Meister, said that consumer information is no longer accessible and that only 10,000 customers had been affected by the leak. But web technology company Hold Security claims that over 41 million customer records were listed on the site — 34 million more than KrebsOnSecurity had originally speculated.

The Daily Meal has reached out to Panera for further comment.

Sonic recently experienced a similar dilemma involving a data breach that led to a fire sale on millions of stolen credit and debit card accounts last September, which KrebsOnSecurity also initially reported. Compromised customer information also included cities, states, and ZIP codes, so potential buyers could purchase cards specifically from customers who live near them. This would potentially bypass one standard anti-fraud defense, in which a credit card company might block suspicious out-of-state transactions. For more PR disasters like these, check out these 10 times Applebee's, Friday's, and 7 other chains really messed up.