Panera Bread Data breach Exposes 5.1M Customers

What Happened in the Breach

Panera Bread told Reuters that an incident occurred and that authorities were notified, and it described the exposed data as customer “contact information.”

The extortion group ShinyHunters claimed it stole a much larger dataset and threatened publication, then released data after the extortion attempt failed, according to multiple security and tech outlets that tracked the leak.

Independent analysis from the breach notification service Have I Been Pwned (HIBP) said the published material contained 14 million records but mapped to about 5.1 million unique email addresses, suggesting duplication across the dump rather than 14 million distinct people.

Timeline: From First Access To Latest Update

• January 22, 2026: Okta published threat research describing vishing-focused phishing kits that can adapt in real time to match a caller’s script and capture credentials and non phishing resistant MFA factors during live sessions
• January 27, 2026: The Register reported ShinyHunters’ claim of stolen Panera customer data and its stated use of Microsoft Entra SSO access in the campaign
• January 29, 2026: Reuters reported that Panera confirmed an incident, said the affected data was “contact information,” and said authorities were alerted
• January 30, 2026: Google Cloud’s threat intelligence team, including Mandiant, published research on ShinyHunters branded SaaS data theft that uses vishing and credential harvest sites to obtain SSO credentials and MFA codes
• January 31, 2026: HIBP posted the Panera Bread breach entry, describing the extortion failure, public release, and the 5.1 million unique email count
• February 2, 2026: BleepingComputer reported the revised affected account estimate and noted Panera had not publicly posted broad customer notifications at that time
• February 3, 2026: SecurityWeek reported details of the leaked archive and described the activity as consistent with ShinyHunters extortion tactics tied to SSO access
• February 6, 2026: Bloomberg Law reported multiple proposed class actions filed in Missouri federal court tied to the January incident
• February 20, 2026: Additional consumer litigation coverage described continuing class action activity and the 5.1 million unique customer contact estimate

What Data Or Systems Were Affected

HIBP said the exposed dataset included 5.1 million unique email addresses plus associated account information such as names, phone numbers, and physical addresses.

Reuters reported that Panera characterized the exposed information as customer “contact information,” without publishing technical detail about the affected system or data store.

Some litigation reporting described additional fields, including usernames and birth dates, but those details have not been confirmed in Panera’s public statements and vary across accounts of the dump’s contents.

Who Was Responsible (Confirmed Vs Alleged)

Panera has publicly confirmed that an incident occurred, and it has not publicly named a threat actor in the Reuters account.

ShinyHunters claimed responsibility in leak site postings and related communications cited in multiple reports, and those reports treated the actor attribution as the group’s claim unless supported independently.

Google’s threat intelligence reporting described ShinyHunters branded operations as a broader campaign that relies on voice phishing and credential harvesting to access SaaS platforms, which matches the pattern described around the Panera leak, even though Panera has not published a technical root cause statement.

How The Attack Worked

Security reporting tied the Panera leak to a wider run of identity-driven intrusions that start with voice phishing calls to employees, followed by victim branded sign-in pages that capture single sign-on credentials and MFA codes in real time.

The Register and SecurityWeek reported that ShinyHunters claimed access through Microsoft Entra single sign-on credentials, a method consistent with the broader SSO targeting described in Okta and Google threat research.

Okta’s research described phishing kits that can keep pace with live calls and adjust prompts to match whatever MFA step a victim encounters, which helps explain how attackers can defeat SMS or one time passcode based MFA when attackers act during the same authentication session.

Impact and Risks for Customers

The leaked data type described in reporting centers on contact information, which often fuels targeted phishing, smishing, and social engineering attempts that use real addresses and phone numbers to raise credibility.

Public release of contact datasets also increases doxxing exposure and identity correlation risk, especially when attackers combine the dump with prior breaches and open source data to build more complete victim profiles.

The record count dispute matters because duplicate rows can inflate early headlines, but the presence of 5.1 million unique email addresses still creates a large targeting pool for follow on scams.

Company Response And Customer Remediation

Panera told Reuters it alerted authorities and that the affected data was contact information, and it did not detail customer remediation steps in that statement.

BleepingComputer reported that Panera had not filed broad public breach notices for this customer dataset at the time of its coverage, which left customers dependent on secondary signals such as third-party breach reporting and account monitoring.

Panera’s prior breach handling in 2024 included written notification, an investigation timeline, and an offer of 1 year of identity protection services tied to that earlier incident, according to a California Attorney General posted sample notice, but Panera has not published an equivalent customer notice package for the 2026 contact data leak in the public reporting cited above.

Government, Law Enforcement, And Regulator Actions

Reuters reported that Panera alerted authorities, and Panera has not disclosed which agency received the report or whether a formal investigation is active.

Public reporting has not shown a state attorney general notification package for the 2026 customer contact leak similar to the 2024 posted sample notice, and BleepingComputer described an absence of formal breach notifications at the time of its report.

Okta and Google threat intelligence publications on the wider vishing and SSO campaign provided technical guidance for defenders, but those documents did not announce enforcement actions tied to Panera specifically.

Financial, Legal, And Business Impact

Bloomberg Law reported that at least 3 proposed class actions were filed in the U.S. District Court for the Eastern District of Missouri tied to the January breach allegations and the ShinyHunters attribution.

Panera’s exposure to repeat breach litigation has a recent reference point in its 2024 incident, where the settlement site for “In re Panera Data Security Litigation” described cash payment options and deadlines for claims tied to the earlier breach.

The operational impact for the 2026 incident remains hard to price publicly because Panera has not published costs for investigation, legal defense, customer support, or remediation tied to the 5.1 million contact dataset leak.

What Remains Unclear About the Breach

Panera has not published the earliest intrusion date, detection date, or dwell time for the access that led to the leaked customer contact dataset, so the timeline still rests on external reporting and the leak’s public appearance.

Panera has not released a technical root cause statement describing the entry point, affected systems, or control failures, and reporting that points to Microsoft Entra SSO access relies on ShinyHunters claims and pattern matching to the broader campaign described in threat intelligence research.

Panera has not announced a customer notification and remediation program for this 2026 contact leak, which leaves unanswered questions about direct outreach, credit monitoring offers, and long term fraud support tied to this event.

Why This Incident Matters

The Panera leak fits a broader shift toward identity-first intrusions that target SSO accounts and defeat weak MFA controls through coordinated vishing plus real time phishing infrastructure.

The data type in scope can look limited compared with breaches that expose passwords or payment details, but large scale contact datasets still drive phishing campaigns at volume, and they can act as an entry point to more damaging fraud when victims respond to messages that look brand authentic.

Panera’s confirmation to Reuters shows that extortion-led data theft has become a mainstream risk for consumer brands, not just software firms, and the wave nature of ShinyHunters branded targeting has made incident isolation harder for defenders and investigators.

Bright Defense: Pen Tests and Continuous Compliance 

Bright Defense reduces identity driven intrusion risk through penetration testing and continuous compliance focused on SSO paths, SaaS misconfigurations, and help desk and MFA reset social engineering. Testing checks whether a single phished identity can reach customer data stores and provides remediation mapped to SOC 2 Trust Services Criteria. 

Continuous compliance keeps identity, access, logging, and incident response controls current through recurring checks and evidence workflows, prioritizing phishing resistant MFA, tighter conditional access for privileged accounts, stronger help desk verification, centralized logging and alerting, and regular incident response exercises.

Sources

1. Reuters – Bumble, Match, Panera Bread and CrunchBase hit by cyberattacks, Bloomberg News reports (January 29, 2026)
   https://www.reuters.com/business/bumble-match-panera-bread-crunchbase-hit-by-cyberattacks-bloomberg-news-reports-2026-01-29/
2. Bloomberg – Bumble, Panera Bread, CrunchBase, Match Hit by Cyberattacks (January 28, 2026)
   https://www.bloomberg.com/news/articles/2026-01-28/bumble-panera-bread-crunchbase-match-hit-by-cyberattacks
3. Have I Been Pwned – Panera Bread Data Breach (January 31, 2026)
   https://haveibeenpwned.com/Breach/PaneraBread
4. BleepingComputer – Panera Bread breach impacts 5.1 million accounts, not 14 million customers (February 2, 2026)
   https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-impacts-51-million-accounts-not-14-million-customers/
5. The Register – ShinyHunters claims Panera Bread in alleged data theft (January 27, 2026)
   https://www.theregister.com/2026/01/27/shinyhunters_claim_panera_bread/
6. SecurityWeek – Hackers Leak 5.1 million Panera Bread Records (February 3, 2026)
   https://www.securityweek.com/hackers-leak-5-1-million-panera-bread-accounts/
7. Okta – Phishing kits adapt to the script of callers (January 22, 2026)
   https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/
8. Google Cloud, Mandiant – Tracking the Expansion of ShinyHunters Branded SaaS Data Theft (January 30, 2026)
   https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
9. Bloomberg Law – Panera Hit With 3 Class Actions Over January Data Breach (January 29, 2026)
   https://news.bloomberglaw.com/privacy-and-data-security/panera-hit-with-three-class-actions-over-january-data-breach
10. In re Panera Data Security Litigation – Settlement site for the 2024 incident (accessed February 22, 2026)
    https://www.panerasettlement.com/
11. California Department of Justice – Panera sample Notice of Data Breach PDF (2024)
    https://oag.ca.gov/system/files/Panera_CA%20App%20%26%20Sample_0.pdf
12. Fox News – Panera Bread data breach exposes 5.1M customers (February 19, 2026)
    https://www.foxnews.com/tech/panera-bread-data-breach-exposes-5-1-million-customers