Data Leak Lasted At Least Eight Months – Panera Was Warned About the Problem Last August

On April 3, 2018, reported:

Panera Bread acknowledged a data leak on Monday, but says fewer than 10,000 customers were affected. The leak appears to have persisted for at least eight months, despite the company having been warned about the problem last August. And the exposed database appears to have included information on more than 7 million customers, meaning the breach could be much larger than Panera Bread claims.

Information security blogger Brian Krebs reported that the leak’s finder, security researcher Dylan Houlihan, recently alerted him to the problem. Krebs writes that after he contacted Panera Bread with an inquiry, the company briefly took its website offline, apparently to attempt to fix the problem.

The leaked data appears to include a raft of information, including names, usernames, email addresses, phone numbers and the last four digits of payment card numbers. The data, which comprises people who ordered online from the food chain, was visible in plain text.

According to

The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery.

Redacted records from Panera’s site, which let anyone search by a variety of customer attributes, including phone number, email address, physical address or loyalty account number. In this example, the phone number was a main line at an office building where many different employees apparently registered to order food online.

Source:, “ Leaks Millions of Customer Records”


KrebsOnSecurity learned about the breach earlier today after being contacted by security researcher Dylan Houlihan, who said he initially notified Panera about customer data leaking from its Web site back on August 2, 2017.

Further, according to

. . . the researcher who discovered the problem, along with Krebs, believes – despite Panera Bread publicly reporting that the leak has been fixed – that the data was still available for some length of time afterward. Krebs tweeted later on Monday that he found API issues on other subdomains within Panera Bread’s website.

Panera Bread appeared to take its site completely . . . offline later on Monday.

Dylan Houlihan reported that

. . . [i]n August 2017, I reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account. This includes my own personal data! Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months. When Brian Krebs publicly broke the news, other news outlets emphasized the usual “We take your security very seriously, security is a top priority for us” prepared statement from Panera Bread. Worse still, the vulnerability was not fixed at all — which means the company either misrepresented its actual security posture to the media to save face or was not competent enough to determine this fact for themselves. This post establishes a canonical timeline so subsequent reporting doesn’t get confused. (Emphasis added)

The Verge reported:

Panera Bread issued a statement to Fox News this week saying it resolved a data breach that exposed the personal information of “thousands” of customer records. However, according to KrebsOnSecurity, the company was first alerted to the issue by security researcher Dylan Houlihan eight months ago but initially dismissed it as a likely scam.

. . .

KrebsOnSecurity says Houlihan contacted Panera on August 2nd, 2017, and then again to follow up a week later. A shared a message thread between Houlihan and Mike Gustavison, Panera’s director of information security, shows that Panera did eventually validate Houlihan’s findings, saying the company was working on a fix. However, as of yesterday, the website was still leaking data. Houlihan says the flaw continued to exist, and he “check[ed] on it every month or so because I was pissed.”

KrebsOnSecurity spoke with Panera’s chief information officer John Meister yesterday and the company briefly took the website offline. It has since returned, and the data is no longer reachable. However, the company had no comment as to why it allowed the problem to exist for months after it acknowledged it was an issue last August. KrebsOnSecurity says the number of accounts affected may be as high as 37 million, despite Panera disputing that only 10,000 records were exposed.

Kehoe Law Firm, P.C.