Bug Possibly Exposed Data on Millions of Panera Customers

Manifestly, Panera Bread has been ignoring a data breach that may touch on millions of customers who placed online orders.

The vendor's website has been accidentally leaking total names, email addresses, telephone numbers, home addresses and terminal four digits of credit menu numbers, according to security researcher Dylan Houlihan.

SecurityWatch Houlihan claims he repeatedly warned the company about the breach back in August 2022 only the vendor did aught. Information technology wasn't until Monday, when the media began to expose the whole incident, that the company patched the problem.

"Panera Bread sat on the vulnerability and, as far as I can tell, did goose egg about it for viii months," Houlihan wrote in a web log post about the breach.

The vulnerability itself involves an API in Panera's website that can let developers pull customer information. But co-ordinate to Houlihan, that same API is publicly bachelor and requires no password to access. Equally a result, anyone could access the website'due south customer database, and potentially mine the sensitive details.

Houlihan's blog postal service goes on to prove email exchanges with Panera'southward information security director Mike Gustavison in early on Baronial. "Now, subsequently I was reassured this would be fixed, I checked on this vulnerability every month or so considering my ain data is in there," Houlihan added. "So I personally know for a fact that it was never patched in the acting."

On Mon, subsequently security reporter Brian Krebs reported on the breach, Panera fixed the problem. But the vendor appears to be downplaying the severity of the incident, telling Fox Business that "Our investigation to date indicates that fewer than x,000 consumers have been potentially affected by this issue."

However, Krebs and Houlihan estimate the number of affected consumers may easily cross into the millions. That'southward considering the vulnerable API in the Panera website stored client IDs that attain over 7 million. If that wasn't enough, Krebs noticed the problem extended to some other vulnerable API for Panera'southward online catering business organization. "At terminal count, the number of customer records exposed in this breach appears to exceed 37 million," Krebs wrote.

Panera did not immediately respond to a asking for comment. It's unclear if anyone with nefarious intent exploited the website vulnerabilities.