Panera Bread has been named by the cybercrime group ShinyHunters as the latest victim in a large-scale stolen credentials incident.
This raises fresh concerns about the security of single sign-on systems and the growing effectiveness of social engineering attacks targeting major consumer brands.
The group claims it obtained sensitive customer data linked to Panera Bread and has listed the company on its data leak site alongside other high-profile organizations. While Panera Bread has not publicly confirmed the breach, the allegations point to the exposure of millions of customer records and highlight a wider campaign that security researchers say is affecting companies across multiple sectors.
Alleged data theft
The info was shared on Daily Dark Web, where approximately 14 million Panera Bread customer records were taken during the intrusion. The dataset allegedly includes names, email addresses, postal addresses, phone numbers, and account-related details. The group claims the stolen information amounts to roughly 760 MB of compressed data.
If accurate, the scale of the alleged breach would place it among the larger consumer data exposures reported in recent months, particularly within the food and retail sector. While there is no indication that payment card data or passwords were included, the type of personal information described could still be used for phishing, identity fraud, and account takeover attempts.
Cybersecurity experts routinely warn that large troves of basic customer data can be just as valuable to criminals as financial details, especially when combined with information obtained from other breaches.
SSO under scrutiny
ShinyHunters told The Register that it gained access to Panera Bread’s systems through Microsoft Entra single sign-on. If confirmed, this would align the incident with a broader wave of attacks targeting identity and access management platforms rather than individual applications.
SSO systems are widely used by large organizations to simplify employee access across multiple services. However, compromising a single set of credentials or authentication flow can potentially provide attackers with broad internal access.
The alleged Panera Bread breach comes shortly after Okta warned that threat actors were actively targeting SSO platforms operated by Okta, Microsoft, and Google using sophisticated voice phishing, or “vishing,” techniques. These attacks typically involve impersonating IT staff or trusted service providers to trick employees into sharing authentication codes or approving login attempts.
The victims
Panera Bread is not the only company ShinyHunters claims to have breached using these methods. The group has also named CarMax and Edmunds, and previously alleged breaches at Crunchbase and Betterment.
So far, most of the organizations named have not publicly commented on the claims. Betterment is the only company to confirm an incident, acknowledging that its employees were targeted in a social engineering attack earlier this month.
“The unauthorized access involved third-party software platforms that Betterment uses to support our marketing and operations,” the company said.
“Once they gained access, the unauthorized individual was able to send a fraudulent, crypto-related message that appeared to come from Betterment to a subset of our customers.”
Security researchers say these incidents underscore how attackers are increasingly bypassing traditional technical defenses by focusing on human targets instead.
ShinyHunters’ evolving tactics
ShinyHunters has been active for several years and is widely regarded as one of the most prolific data extortion groups currently operating. Unlike traditional ransomware gangs, the group has largely abandoned the use of file-encrypting malware.
Instead, ShinyHunters focuses on quietly exfiltrating data and then demanding payment to prevent its public release. This approach reduces operational complexity, lowers the risk of detection, and can still generate substantial profits.
By avoiding encryption, the group also sidesteps some of the immediate operational disruptions that often force victims to acknowledge ransomware attacks publicly. This may help explain why several companies named by ShinyHunters have remained silent so far.
Implications for consumers and businesses
For Panera Bread customers, the alleged breach highlights the ongoing risk posed by large-scale data aggregation. Even without passwords or financial data, exposed contact information can be weaponized in follow-on scams that appear highly credible.
Consumers are generally advised to remain cautious of unsolicited emails or messages claiming to come from Panera Bread or related services, particularly those requesting account verification or personal details.
For businesses, the incident adds to mounting evidence that identity infrastructure has become a prime target for cybercriminals. Security experts increasingly recommend stronger authentication controls, improved employee training against social engineering, and tighter monitoring of SSO activity to detect unusual behavior early.
Google has dropped a security upgrade that could save your data when criminals strike.
