Panera Bread Data Breach Far Larger Than First Reported, Over Five Million Customers Affected

A data breach at Panera Bread is now understood to be significantly more serious than initially believed, with new analysis suggesting personal data belonging to more than five million customers has been exposed on the dark web.

When the breach first came to light in late January, the cybercrime group ShinyHunters claimed it had stolen 14 million customer records from the bakery cafe chain, which operates thousands of locations across the United States and Canada. Many reports initially interpreted this as meaning 14 million individual customers had been affected.

However, researchers at Have I Been Pwned have clarified that the real impact, while still substantial, is lower. After analysing the leaked dataset circulating online, they estimate that approximately 5.1 million unique individuals were affected, based on distinct email addresses contained within the breach.

“In January 2026, Panera Bread suffered a data breach that exposed 14 million records,” Have I Been Pwned? said in a statement. “After an attempted extortion failed, the attackers published the data publicly, which included 5.1 million unique email addresses along with associated account information such as names, phone numbers and physical addresses.”

The stolen data, reportedly around 760MB in compressed form, was later published to ShinyHunters’ data leak site after Panera Bread declined to meet extortion demands. The exposed information includes customers’ names, phone numbers, postal addresses, and physical addresses, raising concerns about identity theft, phishing, and other forms of fraud.

According to comments made by ShinyHunters to The Register, the attackers gained access through Microsoft Entrasingle sign on. If confirmed, the breach may be part of a wider campaign targeting identity providers, following recent warnings from Okta about sophisticated voice phishing attacks aimed at compromising single sign on credentials across Okta, Microsoft, and Google environments.

Panera Bread has since confirmed that it was breached, although it has not publicly disclosed detailed technical findings about the intrusion. Customers whose data may have been exposed are expected to be notified in line with regulatory requirements.

ShinyHunters has become one of the most prolific cybercrime groups currently operating. Unlike traditional ransomware operations, the group no longer deploys encryptors to lock victim systems. Instead, it focuses solely on data theft, demanding payment to prevent public disclosure. Security experts note that this approach is cheaper, faster, and often just as profitable as conventional ransomware attacks.

The Panera Bread incident highlights the growing risks associated with identity systems and single sign on platforms, as well as the increasing scale of data only extortion campaigns. For affected customers, the breach underscores the importance of monitoring accounts, being alert to phishing attempts, and using strong, unique passwords across online services.

Photo Credit: DepositPhotos.com