**Panera Bread Breach Exposed 5.1 Million Accounts, HIBP Confirms**

In a shocking revelation, the cybersecurity platform Have I Been Pwned has confirmed that Panera Bread's data breach affected a staggering 5.1 million accounts. This figure is significantly lower than the initial estimate of 14 million customers reported by the ShinyHunters gang, which claimed to have stolen data from over 14 million Panera Bread accounts.

The ShinyHunters group leaked a massive 760MB archive on its data leak site after Panera refused to pay the ransom. According to Have I Been Pwned, the attackers accessed Panera's systems using a Microsoft Entra SSO code as part of a broader vishing campaign targeting SSO accounts at major identity providers across more than 100 organizations.

As reported by Have I Been Pwned, "In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses."

Subsequently, Panera Bread confirmed to authorities that "the data involved is contact information" and that they had notified relevant authorities. However, the company has yet to issue public notifications about the breach.

**The ShinyHunters Gang's Vishing Campaign**

The ShinyHunters group, known for its brazen tactics, claimed to have accessed Panera's systems using a Microsoft Entra SSO code as part of a broader vishing campaign. This campaign targeted SSO accounts at major identity providers across more than 100 organizations.

**A History of Data Breaches at Panera Bread**

This is not the first time Panera Bread has been hit by a data breach. In April 2018, journalist and cyber investigator Brian Krebs revealed that the company's website had leaked millions of customer records, including names, email addresses, physical addresses, birthdays, and even the last four digits of customers' credit card numbers.

In a disturbing development, Panera Bread exposed customer data for at least eight months after being first notified of the breach. The company also revealed customers' Panera loyalty card numbers, which could be used by scammers to spend prepaid accounts or steal value from Panera customer loyalty accounts.

**A Lack of Transparency?**

The issue was first reported to Panera Bread by security researcher Dylan Houlihan on August 2, 2017. However, the company's IT staff failed to acknowledge the flaw initially. After further investigation, the director of information technology Mike Gustavison assured Houlihan that the issue had been fixed. Unfortunately, it later emerged that the issue was not resolved.

Houlihan reported the breach again on April 2nd, 2018, this time to Brian Krebs. Panera told Fox Business that the data leak affected only about 10,000 records. However, experts at Hold Security estimated that the number of affected accounts was approximately 37 million.

**Conclusion**

The Panera Bread breach is a stark reminder of the ongoing threat of cyber attacks and the importance of robust cybersecurity measures. As the world becomes increasingly dependent on digital transactions, it is imperative for companies to prioritize data security and transparency in the face of breaches.