Panera Bread's 14M customer records exposed in new Microsoft 365 breach
Panera Bread has suffered another major data breach, this time exposing over 14 million customer records. The hacking group ShinyHunters accessed the company's database through a flaw in Microsoft 365's Entra single-sign-on system. Meanwhile, cybersecurity firm Okta has issued warnings about rising voice phishing attacks targeting similar login platforms.
ShinyHunters exploited a vulnerability in Panera Bread's Microsoft 365 Entra SSO setup to steal customer data. The compromised records include names, email addresses, phone numbers, home addresses, and account details. This isn't the first time the bakery chain has faced such an issueāin 2018, it accidentally left millions of customer records exposed in plain text on its website.
The same group has claimed responsibility for recent breaches at Bumble, Match Group services, and CrunchBase. ShinyHunters typically profits by selling stolen databases on dark web forums or negotiating ransoms with affected companies. Panera Bread has confirmed the breach and is now working to contain the incident.
Okta's recent alert highlights a broader threat: voice phishing campaigns are increasingly targeting SSO platforms like Okta, Microsoft, and Google. Security experts recommend stronger defences, such as phishing-resistant multi-factor authentication (MFA) and proactive training against social engineering attacks.
Panera Bread is responding to the breach, but the incident adds to a growing list of high-profile data leaks tied to SSO vulnerabilities. Companies relying on single-sign-on systems are now under pressure to tighten security measures. The repeated breaches also raise concerns about how effectively businesses protect customer information from determined cybercriminals.
