Panera Bread
Analysis of the Panera Bread data breach with 5.1 million customer accounts leaked by ShinyHunters after failed extortion attempt.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Panera Bread
American chain of bakery-cafe restaurants with over 2,000 locations across the United States and Canada.
Sector
Food Service / Retail
Region
United States
Date of Incident
January 2026 (SSO credential compromise via vishing)
Date Disclosed
January 27, 2026 (ShinyHunters claim); February 2026 (data published)
Estimated Impact
5.1 million unique accounts
Data Types Exposed
Names, email addresses, phone numbers, home addresses, account details
Attack Type
Data Breach
Attack Vector
Voice phishing (vishing) targeting Microsoft Entra SSO credentials
Threat Actor
ShinyHunters
Current Status
Panera confirmed incident. 760MB data archive published after failed extortion. At least 3 class-action lawsuits filed. No credit monitoring announced.
Severity Assessment
High. 5.1 million unique customer accounts exposed. Part of broader ShinyHunters SSO vishing campaign targeting 100+ organisations.
What Happened
In February 2026, data from approximately 5.1 million unique Panera Bread accounts was leaked after an extortion attempt failed. The ShinyHunters group claimed responsibility.
The compromised data includes names, email addresses, phone numbers, and physical addresses. A 760MB data archive was published after the extortion deadline passed.
Timeline
January 2026
ShinyHunters compromise Microsoft Entra SSO credentials via voice phishing
January 27, 2026
ShinyHunters publicly claim responsibility for the breach
February 2026
760MB data archive published after extortion deadline passes
February 2026
At least three class-action lawsuits filed against Panera Bread
Threat Actor Profile
ShinyHunters targeted Panera Bread as part of a broader campaign in early 2026, compromising over 100 organisations through voice phishing attacks targeting SSO credentials.
The group's standard playbook involves demanding payment, setting a deadline, and publishing data if the target does not comply.
Impact and Risk Assessment
For Affected Individuals
5.1 million customers had their contact information exposed, enabling large-scale phishing campaigns impersonating Panera Bread.
Physical addresses combined with other personal details increase the risk of targeted social engineering and identity fraud.
For Organisations
Panera faces at least three class-action lawsuits and reputational damage to its loyalty programme and customer relationships.
The incident demonstrates that food service and retail companies are not immune to sophisticated threat groups.
Regulatory Context
US state data breach notification laws apply. The lack of announced credit monitoring may become a point of contention in class-action proceedings.
What Should You Do?
If You Are a Potentially Affected Individual
Change your Panera Bread account password and any other accounts where you used the same credentials.
Be wary of emails or messages claiming to be from Panera Bread, particularly those offering refunds or requesting account verification.
If You Are a Security or Risk Professional
Implement phishing-resistant MFA such as FIDO2/WebAuthn to mitigate vishing attacks targeting SSO credentials.
Ensure your organisation has a clear extortion response policy established before an incident occurs.
Learnings and Recommendations
This incident demonstrates the standard extortion playbook: claim, demand, deadline, publish. Companies need clear policies for responding to extortion demands before they receive one.
Contact data at this volume enables large-scale phishing campaigns impersonating the affected brand.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.