Panera Bread breach impacts 5.1 million accounts, not 14 million clients

The data breach notification service Have I Been Pwned says {that a} data breach on the U.S. meals chain Panera Bread affected 5.1 million accounts, not 14 million clients as beforehand reported.

Based in 1987, the corporate operates practically 2,300 bakery-cafes throughout 48 U.S. states and in Ontario, Canada, underneath the names Panera Bread or Saint Louis Bread Co.

Have I Been Pwned’s report comes after the ShinyHunters extortion gang claimed in late January that they’d stolen a variety of personally identifiable info (PII) and speak to info for over 14 million Panera Bread person accounts. The cybercrime group has since leaked an archive of practically 760 MB of paperwork on its darkish net leak web site, containing knowledge stolen from Panera Bread.

“These information have been leaked on the ShinyHunters DLS as a result of the sufferer didn’t pay a ransom or cooperate and adjust to the ShinyHunters group,” the extortion gang says in a textual content file added to the leaked archive.

ShinyHunters instructed BleepingComputer that they gained entry to Panera’s methods by way of a Microsoft Entra single sign-on (SSO) code. The assault was a part of a brand new ShinyHunters voice phishing (vishing) marketing campaign focusing on single sign-on (SSO) accounts at Okta, Microsoft, and Google throughout greater than 100 high-profile organizations.

“In January 2026, Panera Bread suffered a data breach that uncovered 14M data,” stated data breach notification service Have I Been Pwned over the weekend. “After an tried extortion failed, the attackers revealed the info publicly, which included 5.1M distinctive e mail addresses together with related account info comparable to names, cellphone numbers and bodily addresses.”

Whereas different information retailers have reported instantly after ShinyHunters claimed the assault that the breach affected 14 million Panera Bread clients, the extortion gang’s web site defined that that quantity refers to data stolen through the assault. Based on BleepingComputer’s depend, these stolen data include private info for roughly 5,120,000 distinctive person accounts, which can signify fewer clients, since every affected particular person might have used multiple account.

BleepingComputer additionally discovered greater than 26,000 distinctive panerabread.com e mail addresses, doubtless belonging to Panera Bread staff whose PII was stolen within the breach.

Whereas Panera Bread has but to file data breach notifications or situation an announcement concerning the incident, it has notified authorities and confirmed the breach, saying that “the info concerned is contact info.”

As a part of the identical sequence of vishing assaults, ShinyHunters has additionally breached the web courting large Match Group, which owns a number of fashionable courting companies, together with Tinder, Match.com, Hinge, Meetic, and OkCupid.

Match Group has since confirmed that the attackers stole a “restricted quantity of person knowledge” after ShinyHunters leaked 1.7 GB of compressed information allegedly containing inside paperwork and round 10 million data of Hinge, OkCupid, and Match person info.

Audio streaming platform SoundCloud additionally confirmed a ShinyHunters assault in December, following widespread studies of customers encountering 403 “Forbidden” errors when connecting by way of VPN. The assault led to a data breach affecting 29.8 million accounts, as Have I Been Pwned revealed final week.

BleepingComputer reached out to Panera Bread with questions concerning the December 2025 incident, however a response was not instantly obtainable.

Panera Bread additionally notified staff of a data breach in June 2024 after risk actors stole their private info in a March 2024 ransomware assault that triggered a nationwide IT outage.