TL;DR:
- ShinyHunters breached Panera Bread in December 2025 by tricking an employee into handing over a Microsoft Entra SSO code via a phone call
- 14 million records were stolen, covering 5.1 million unique customer accounts plus 26,000+ employee email addresses
- Leaked data includes names, email addresses, phone numbers, and physical addresses
- Panera refused to pay the ransom. ShinyHunters dumped a 760GB archive on their leak site
- Same attack method has hit 100+ organizations including Harvard, UPenn, SoundCloud, Grubhub, and Betterment
A Phone Call Was All It Took
Sometime in December 2025, someone at Panera Bread got a phone call. The caller sounded convincing: maybe they claimed to be from IT, or from Microsoft support, or from a vendor. Whatever the pitch, the target handed over a Microsoft Entra single sign-on code. That code gave ShinyHunters the keys to Panera's cloud systems [1][2].
By the time anyone noticed, ShinyHunters had exfiltrated 14 million records from the company's SaaS environment. They contacted Panera with a ransom demand. Panera didn't pay [3].
In late January 2026, ShinyHunters published the entire dataset on their Tor-based leak site. A 760GB archive. Available to anyone who knows where to look [1].
What Got Stolen
Have I Been Pwned (the breach notification service that's become the industry standard for confirming leaks) processed the dump and found 5.1 million unique email addresses [3]. The initial 14 million record count included duplicates from customers with multiple accounts.
The stolen data includes:
- Names: full names tied to Panera accounts and loyalty memberships
- Email addresses: 5.1 million unique addresses
- Phone numbers: tied to account profiles
- Physical addresses: delivery addresses, billing addresses
- Employee data: more than 26,000 panerabread.com email addresses, likely belonging to current and former staff [3]
Panera confirmed to authorities that "the data involved is contact information." No financial data or payment cards, at least, none that's been verified in the dump so far [3].
Small comfort when your name, home address, email, and phone number are sitting on a hacking forum.
Panera's Second Breach in Eight Years
Here's the part Panera probably doesn't want you to remember: this isn't their first major data breach. In 2018, a security researcher named Dylan Houlihan discovered that Panera had been exposing millions of customer records through an unauthenticated API endpoint, for at least eight months. Panera initially dismissed the report. It took media coverage to force a fix [4].
Eight years later, attackers didn't need an API flaw. They just called someone and asked for a password.
The Vishing Playbook That Won't Stop Working
ShinyHunters' method is disturbingly simple. They call employees at target companies, impersonate IT support or identity provider staff, and talk them into revealing multi-factor authentication codes or SSO credentials. No malware. No zero-day exploits. Just social engineering over the phone: what the security industry calls "vishing" (voice phishing) [2].
Once they have an SSO code, ShinyHunters authenticate into the victim's cloud environment: Microsoft Entra (formerly Azure AD), Okta, or whatever identity provider the company uses. From there, they move laterally through connected SaaS applications, scraping databases and exfiltrating data [5].
This exact playbook has been devastatingly effective. ShinyHunters and their affiliates (operating under various names including "Scattered LAPSUS$ Hunters") have compromised more than 100 organizations through SSO vishing since 2024 [5]. A partial list of confirmed victims:
- Harvard University: 1.1 million records, published February 2026
- University of Pennsylvania: 1.1 million records, published February 2026
- SoundCloud: 29.8 million accounts
- Grubhub: customer and driver data
- Betterment: 1.4 million fintech accounts
- Crunchbase: 2 million records
- TransUnion: via Salesforce compromise
- Bumble: contractor account compromised
- Panera Bread: 5.1 million accounts
The pattern is consistent. Call, trick, authenticate, steal, extort, leak. The phone call takes minutes. The damage lasts years.
Why Companies Keep Falling for It
SSO was supposed to fix security. One identity, one login, centralized control. Instead, it created a single point of failure. Compromise one SSO credential and you've got access to everything connected to it: Salesforce, Slack, cloud storage, customer databases, HR systems [5].
The problem isn't the technology. It's that the entire security model assumes the human at the keyboard won't hand the keys to someone who called them on the phone. MFA helps, but ShinyHunters specifically targets the MFA flow, calling employees during the authentication process and talking them through handing over their verification code in real time.
Phishing-resistant MFA (hardware security keys, passkeys) would stop this attack dead. But most companies still rely on SMS codes, authenticator app push notifications, or one-time passcodes, all of which can be socially engineered over a phone call.
What Panera Customers Should Do Now
If you've ever ordered from Panera (online, through the app, or through their loyalty program), assume your data is in this dump.
- Check Have I Been Pwned at haveibeenpwned.com. Enter your email to see if it's in the Panera breach dataset.
- Change your Panera password. If you reused that password anywhere else (and be honest, most people do), change it everywhere.
- Watch for phishing. Your name, email, phone, and address are now public. Expect targeted scams that reference Panera, your local area, or your actual name. Don't trust emails or calls claiming to be from Panera about "breach remediation."
- Enable a password manager. Use unique, random passwords for every account. Bitwarden is free and open source. 1Password is solid. Stop reusing passwords.
- Freeze your credit. Contact information alone doesn't enable identity theft, but combined with data from other breaches (and there are plenty), it fills in the puzzle. A credit freeze at Equifax, Experian, and TransUnion is free and takes five minutes.
The Bigger Problem
ShinyHunters isn't some elite nation-state hacking group deploying custom zero-days. They're making phone calls. And those phone calls keep working because:
- Most companies still use phishable MFA methods
- Help desk and IT support staff aren't trained to resist social engineering
- SSO centralizes access so completely that one compromised credential opens everything
- Cloud environments make data exfiltration trivially easy once you're authenticated
Until companies deploy phishing-resistant authentication across the board (hardware keys, passkeys, FIDO2), vishing will keep working. ShinyHunters will keep calling. And your data will keep ending up on leak sites.
The call is coming from inside the house. It always was.
Sources
- The Register: ShinyHunters Claims Panera Bread in Alleged Data Theft (Jan 27, 2026)
- TechRepublic: ShinyHunters Claims 14M Panera Bread Records Exposed in Data Breach
- BleepingComputer: Panera Bread Breach Impacts 5.1 Million Accounts, Not 14 Million (Feb 2, 2026)
- Krebs on Security: PaneraBread.com Leaks Millions of Customer Records (Apr 2018)
- State of Surveillance: ShinyHunters' SSO Campaign Has Hit 100+ Companies
- Have I Been Pwned: Panera Bread Data Breach
Published: February 10, 2026