Panera Bread breach affected 5.1 Million accounts, HIBP Confirms
February 02, 2026 
Have I Been Pwned says Panera Bread ’s breach affected 5.1 million accounts, far fewer than the 14 million customers first reported.
Have I Been Pwned followed claims by the ShinyHunters gang, which said it stole data from over 14 million Panera Bread accounts. After Panera refused to pay, the group leaked a 760MB archive on its data leak site. ShinyHunters said it accessed Panera’s systems using a Microsoft Entra SSO code as part of a broader vishing campaign targeting SSO accounts at major identity providers across more than 100 organizations.
“In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses.” reported HIBP. “Panera Bread subsequently confirmed that “the data involved is contact information” and that authorities were notified.”
BleepingComputer confirmed that roughly 5,120,000 accounts were impacted, adding that the number of affected users may be lower since individuals may have used more than one account.
At this time, Panera confirmed the breach to authorities, saying the exposed data was contact information, but has not yet issued public notifications.
Panera Bread is a U.S.-based bakery-café chain known for bread, sandwiches, soups, salads, and coffee. Founded in 1987, it operates thousands of locations and focuses on fast-casual dining with dine-in, takeout, and delivery options.
In April 2018, the popular journalist and cyber investigator Brian Krebs revealed that the Panera Bread’s website leaked millions of customer records, including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number, for at least eight months before it was taken offline.
Panera Bread exposed the data at least for eight months after the company was first notified of the data leak.
The company also exposed customer’s Panera loyalty card number, which could be used by scammers to spend prepaid accounts or to steal value from Panera customer loyalty accounts.
The disconcerting aspect of the story is that the issue was first notified to Panera Bread by the security researcher Dylan Houlihan on August 2, 2017.
The experts reported that in a first time the IT staff did not acknowledge the flaw, but after further investigation, the director of information technology Mike Gustavison told to the expert that the issue was fixed.
Houlihan verified that the issue was not fixed and on April 2nd, 2018, reported it to Brian Krebs.
Panera told Fox Business that the data leak affected only about 10,000 records, but experts at Hold Security estimated that the number of affected accounts is approximately 37 million.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, data breach)