Panera Bread breach: ShinyHunters says it hacked 14 million customers

The hacking group ShinyHunters is at it again.

This time, it's customers of the bakery chain Panera Bread who've had their private data compromised.  This appears to be part of the same breach we reported on earlier this week, which targeted Match Group users.

On their website earlier this week, ShinyHunters confirmed that they are behind a Panera Bread data breach that has resulted in more than 14 million customer records being stolen. The stolen data reportedly includes customers' names, email addresses, phone numbers, home addresses, and account details.

Panera Bread has since confirmed the data breach.

The company described the compromised data as "contact information" in a statement to Bloomberg. Panera said it has since contacted law enforcement and taken steps to address the incident.

“The Panera Bread data breach will be devastating for those affected," said Ade Clewlow, associate director and senior advisor at cybersecurity consultancy NCC Group, in a statement to Mashable. "Not only do affected customers run the risk of identity theft, but we know that PII [Personally Identifiable Information] is sold on to other criminal groups on the dark web who will exploit victims through social engineering. The combination of PII that has been taken, if true, poses a real risk to the victims of this hack."

As The Register reported, ShinyHunters said that they were able to gain access to a Panera Bread database through a Microsoft Entra single-sign-on (SSO) code.

Okta, a platform that similarly provides companies with SSO codes, shared a warning just last week about new voice phishing campaigns being deployed by cybercriminals. In the attack, a bad actor typically poses as an IT worker and calls their target, requesting they enter their credentials on a phishing website made to look like an SSO platform. The fake page records what the target enters, providing the login information to the bad actor.

“This aligns closely with Okta’s recent warnings about vishing-driven SSO compromise targeting Okta, Microsoft, and Google," said Cory Michal, CSO at security platform AppOmni, in a statement to Mashable. "Okta has described custom, real-time kits used during voice calls to capture credentials/session tokens and defeat non-phishing-resistant MFA across these major identity ecosystems."

This isn't the first time Panera Bread has suffered a major online security breach. Back in 2018, a cybersecurity professional reported that Panera Bread had left millions of customers' personal data exposed in plain text on its website.

"The big lesson is Panera's repeated compromises," said Michal. "The fact it’s already had to settle class-action claims over alleged failures to protect consumer data show how difficult it is for large, distributed organizations to consistently operationalize SaaS and identity security at scale."

As for ShinyHunters, the hacking group has taken responsibility for other recent data breaches involving Bumble, Match, and CrunchBase. The group also posted private data from previous breaches of automobile platforms like CarMax, which an affiliated group known as Scattered LAPSUS$ Hunters has taken credit for.

In a statement provided to Mashable, NCC Group senior adviser and director Tim Rawlins urged companies to take a more proactive approach to this recent string of cybersecurity incidents.

"We have seen effective social engineering persuade staff to provide their multi-factor authentication (MFA) details to attackers masquerading as their helpdesk, and MFA ‘bombing’ whereby the member of staff is inundated with MFA requests until they respond. Both versions allow the attacker to compromise an IT estate," Rawlins said. "The only counter to such attacks is better staff awareness and phishing-resistant MFA."