The data breach notification service Have I Been Pwned says that a data breach at the U.S. food chain Panera Bread affected 5.1 million accounts, not 14 million customers as previously reported.
Founded in 1987, the company operates nearly 2,300 bakery-cafes across 48 U.S. states and in Ontario, Canada, under the names Panera Bread or Saint Louis Bread Co.
Have I Been Pwned's report comes after the ShinyHunters extortion gang claimed in late January that they had stolen a wide range of personally identifiable information (PII) and contact information for over 14 million Panera Bread user accounts. The cybercrime group has since leaked an archive of nearly 760 MB of documents on its dark web leak site, containing data stolen from Panera Bread.
"These files were leaked on the ShinyHunters DLS because the victim did not pay a ransom or cooperate and comply with the ShinyHunters group," the extortion gang says in a text file added to the leaked archive.
ShinyHunters told BleepingComputer that they gained access to Panera's systems via a Microsoft Entra single sign-on (SSO) code. The attack was part of a new ShinyHunters voice phishing (vishing) campaign targeting single sign-on (SSO) accounts at Okta, Microsoft, and Google across more than 100 high-profile organizations.
"In January 2026, Panera Bread suffered a data breach that exposed 14M records," said data breach notification service Have I Been Pwned over the weekend. "After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses."
While other news outlets have reported immediately after ShinyHunters claimed the attack that the breach affected 14 million Panera Bread customers, the extortion gang's website explained that that number refers to records stolen during the attack. According to BleepingComputer's count, these stolen records contain personal information for roughly 5,120,000 unique user accounts, which may represent fewer customers, since each affected individual may have used more than one account.
BleepingComputer also found more than 26,000 unique panerabread.com email addresses, likely belonging to Panera Bread employees whose PII was stolen in the breach.
ShinyHunters leak site (BleepingComputer)
While Panera Bread has yet to file data breach notifications or issue a statement about the incident, it has notified authorities and confirmed the breach, saying that "the data involved is contact information."
... continue reading