- Severity
- high
- Records
- 5,100,000
- Vector
- Vishing — Microsoft Entra SSO compromise
- Organization
- Panera Bread
- Incident Date
- 2026-01-15
What Happened
Panera Bread, the American bakery-café chain, suffered a data breach in January 2026 when the ShinyHunters cybercriminal group compromised their systems through a Microsoft Entra SSO vishing attack. After Panera refused extortion demands, ShinyHunters leaked 5.1 million customer records containing personal information.
Incident overview
| Attribute | Details |
|---|
| Victim | Panera Bread |
| Industry | Restaurant/Food service |
| Attack date | January 2026 |
| Discovery | January 2026 |
| Accounts affected | 5,100,000 |
| Initial claim | 14 million records |
| Attack method | Microsoft Entra SSO vishing |
| Threat actor | ShinyHunters |
| Ransom demanded | Yes |
| Ransom paid | No |
| Data leaked | Yes (760GB archive) |
Timeline
| Date | Event |
|---|
| January 2026 | ShinyHunters initiates vishing campaign |
| January 2026 | Microsoft Entra SSO credentials compromised |
| January 2026 | Attackers access Panera systems |
| January 2026 | 14 million records exfiltrated |
| January 2026 | Extortion demand issued |
| January 2026 | Panera refuses payment |
| February 2, 2026 | 760GB archive leaked on Tor site |
| February 2026 | HIBP confirms 5.1 million unique accounts |
Data exposed
| Data type | Status |
|---|
| Full names | Confirmed |
| Email addresses | Confirmed |
| Phone numbers | Confirmed |
| Home addresses | Confirmed |
| Account details | Confirmed |
| Data type | Scope |
|---|
| Employee emails | ~26,000 @panerabread.com addresses |
| Employee PII | Included in breach |
NOT confirmed exposed
| Data type | Status |
|---|
| Payment card data | No evidence of exposure |
| Financial information | Not confirmed |
Attack methodology
Vishing campaign
| Stage | Details |
|---|
| Target | Panera employee with SSO access |
| Method | Voice phishing (vishing) |
| Goal | Obtain Microsoft Entra SSO credentials |
| Outcome | Successful credential theft |
ShinyHunters has been conducting widespread vishing campaigns targeting SSO accounts at organizations using Okta, Microsoft Entra, and Google authentication across more than 100 high-profile companies.
SSO exploitation
| Step | Action |
|---|
| 1 | Social engineer employee via phone |
| 2 | Obtain Microsoft Entra SSO code |
| 3 | Use code to access Panera systems |
| 4 | Exfiltrate customer and employee data |
| 5 | Issue extortion demand |
Record count clarification
| Metric | Count |
|---|
| Records stolen | 14 million |
| Unique accounts | 5.1 million |
| Difference | Multiple records per customer |
Have I Been Pwned analysis determined that while 14 million records were stolen, these represent approximately 5.1 million unique individuals, as many customers had multiple account records.
ShinyHunters campaign context
The Panera breach was part of a broader ShinyHunters vishing campaign:
| Target | Outcome |
|---|
| Panera Bread | 5.1M accounts leaked |
| Match Group | ”Limited” user data stolen |
| SoundCloud | 29.8M accounts leaked |
| Harvard/UPenn | 2M+ records leaked |
| Crunchbase | 2M+ records leaked |
Business impact
| Impact | Details |
|---|
| Data exposure | 5.1 million customers |
| Employee exposure | ~26,000 employees |
| Reputational damage | Public leak on dark web |
| Regulatory risk | Potential state AG investigations |
| Notification costs | Required breach notifications |
Recommendations
For affected customers
| Priority | Action |
|---|
| Critical | Check Have I Been Pwned for your email |
| High | Change Panera account password |
| High | Watch for phishing emails referencing Panera |
| High | Monitor for suspicious activity using your info |
| Medium | Consider credit monitoring if address exposed |
For organizations
| Priority | Action |
|---|
| Critical | Implement phishing-resistant MFA (FIDO2) |
| Critical | Train employees on vishing attacks |
| High | Monitor SSO authentication anomalies |
| High | Implement callback verification for sensitive requests |
| Medium | Segment access based on need |
Context
The Panera Bread breach demonstrates ShinyHunters’ refined attack playbook: target SSO credentials through vishing, bypass technical controls via social engineering, and extort or leak when payment is refused.
The use of Microsoft Entra SSO as the attack vector highlights that modern authentication systems are only as secure as the humans who use them. Phishing-resistant MFA (hardware keys, FIDO2) would have prevented this attack, as social engineering cannot bypass physical authentication requirements.
For affected customers, the exposure of names, emails, phone numbers, and addresses creates significant phishing risk. Attackers can craft highly convincing messages referencing Panera orders, rewards programs, or account issues. Verifying communications through official channels rather than clicking links is essential.
The 5.1 million affected individuals should expect increased spam and potential targeted scams. While payment data was not confirmed exposed, the combination of personal details enables identity-related fraud attempts that may persist for years.
