Data Breach Food Service / Retail · United States · February 2026

Panera Bread

Analysis of the Panera Bread data breach with 5.1 million customer accounts leaked by ShinyHunters after failed extortion attempt.

Records Affected

5.1 million unique accounts

Attack Type

Data Breach

Location

United States

Data types exposed

Names email addresses phone numbers home addresses account details

What Happened

In February 2026, data from approximately 5.1 million unique Panera Bread accounts was leaked after an extortion attempt failed. The ShinyHunters group claimed responsibility.
The compromised data includes names, email addresses, phone numbers, and physical addresses. A 760MB data archive was published after the extortion deadline passed.

Timeline

  • January 2026 — ShinyHunters compromise Microsoft Entra SSO credentials via voice phishing
  • January 27, 2026 — ShinyHunters publicly claim responsibility for the breach
  • February 2026 — 760MB data archive published after extortion deadline passes
  • February 2026 — At least three class-action lawsuits filed against Panera Bread

Threat Actor Profile

ShinyHunters targeted Panera Bread as part of a broader campaign in early 2026, compromising over 100 organisations through voice phishing attacks targeting SSO credentials.
The group's standard playbook involves demanding payment, setting a deadline, and publishing data if the target does not comply.

Impact and Risk Assessment

For Individuals

5.1 million customers had their contact information exposed, enabling large-scale phishing campaigns impersonating Panera Bread.
Physical addresses combined with other personal details increase the risk of targeted social engineering and identity fraud.

For Organisations

Panera faces at least three class-action lawsuits and reputational damage to its loyalty programme and customer relationships.
The incident demonstrates that food service and retail companies are not immune to sophisticated threat groups.

Regulatory Context

US state data breach notification laws apply. The lack of announced credit monitoring may become a point of contention in class-action proceedings.

What Should You Do?

For Individuals

  • Change your Panera Bread account password and any other accounts where you used the same credentials.
  • Be wary of emails or messages claiming to be from Panera Bread, particularly those offering refunds or requesting account verification.

For Security Professionals

  • Implement phishing-resistant MFA such as FIDO2/WebAuthn to mitigate vishing attacks targeting SSO credentials.
  • Ensure your organisation has a clear extortion response policy established before an incident occurs.

Learnings and Recommendations

This incident demonstrates the standard extortion playbook: claim, demand, deadline, publish. Companies need clear policies for responding to extortion demands before they receive one.
Contact data at this volume enables large-scale phishing campaigns impersonating the affected brand.
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories