Executive Summary

In January 2026, Panera Bread experienced a significant data breach attributed to the cybercriminal group ShinyHunters. The attackers gained unauthorized access to Panera Bread’s systems by compromising a Microsoft Entra Single Sign-On (SSO) code, likely through a vishing (voice phishing) campaign. Following a failed extortion attempt, the attackers publicly leaked a dataset containing 5.1 million unique customer records. The compromised data includes names, email addresses, phone numbers, home addresses, and account details, with Panera Bread confirming that only contact information was exposed. There is no confirmed evidence of payment data exposure. The breach highlights ongoing risks associated with SSO implementations and social engineering attacks in the retail and food service sectors. Panera Bread has notified authorities and stated that steps have been taken to address the incident. The technical analysis confirms the attack vector as SSO compromise via vishing, with no specific software vulnerability disclosed. The incident underscores the need for robust SSO security, phishing-resistant multi-factor authentication (MFA), and comprehensive employee awareness programs.

Technical Information

The breach of Panera Bread’s customer data was executed by the ShinyHunters group, a threat actor known for large-scale data theft and extortion. The attackers exploited a Microsoft Entra SSO code, which allowed them to bypass authentication controls and access sensitive customer information. The primary attack vector was a vishing campaign, a form of social engineering where attackers impersonate IT staff over the phone to trick employees into entering their credentials into a phishing website designed to mimic the legitimate SSO platform. This method enabled the attackers to capture valid login information and session tokens, granting them unauthorized access to Panera Bread’s systems (Mashable, January 30, 2026: https://mashable.com/article/panera-bread-breach-shinyhunters-voice-phishing-14-million-customers; Security Affairs, February 2, 2026: https://securityaffairs.com/187556/data-breach/panera-bread-breach-affected-5-1-million-accounts-hibp-confirms.html?amp).

The technical tactics used in this incident align with several MITRE ATT&CK techniques. The initial access was achieved through T1566.004 (Phishing: Spearphishing Voice, or vishing), where attackers used phone calls to deceive employees. Once credentials were obtained, T1078 (Valid Accounts) was employed, as the attackers used legitimate credentials to access internal systems. The abuse of SSO tokens and session hijacking is mapped to T1556 (Modify Authentication Process), allowing attackers to bypass standard authentication mechanisms. While not explicitly confirmed, T1110 (Brute Force or Credential Stuffing) is a common follow-up in such campaigns, especially if credentials are reused across services (MITRE ATT&CK: https://attack.mitre.org/techniques/T1566/004/; https://attack.mitre.org/techniques/T1078/; https://attack.mitre.org/techniques/T1556/; https://attack.mitre.org/techniques/T1110/).

No specific malware was reported in the incident. The compromise relied on social engineering and the abuse of authentication tokens rather than the deployment of malicious software. Security experts cited in the Mashable article referenced the likely use of custom, real-time phishing kits capable of capturing credentials and session tokens during the vishing calls, as described in recent advisories from Okta and other identity providers (Mashable, January 30, 2026: https://mashable.com/article/panera-bread-breach-shinyhunters-voice-phishing-14-million-customers).

The ShinyHunters group has a documented history of targeting large organizations in the retail, food service, and technology sectors, often using credential theft and social engineering as primary attack vectors. Their tactics, techniques, and procedures (TTPs) include large-scale credential theft, extortion attempts, and public data leaks when ransom demands are not met. The Panera Bread breach is consistent with these established TTPs (Security Affairs, February 2, 2026: https://securityaffairs.com/187556/data-breach/panera-bread-breach-affected-5-1-million-accounts-hibp-confirms.html?amp; Offseq Radar, February 3, 2026: https://radar.offseq.com/threat/hackers-leak-51-million-panera-bread-records-da8bcba7).

The incident also highlights sector-specific risks for retail and food service organizations, which often maintain large repositories of customer data and rely on SSO and cloud-based identity providers. The breach demonstrates the vulnerability of SSO implementations that do not employ phishing-resistant MFA and the challenges of operationalizing identity security at scale. Notably, Panera Bread previously suffered a major data exposure incident in 2018, indicating a pattern of repeated compromise and ongoing challenges in securing customer data (Security Affairs, February 2, 2026: https://securityaffairs.com/187556/data-breach/panera-bread-breach-affected-5-1-million-accounts-hibp-confirms.html?amp; Mashable, January 30, 2026: https://mashable.com/article/panera-bread-breach-shinyhunters-voice-phishing-14-million-customers).

The technical confidence in the attack vector and attribution is high, as multiple independent sources confirm the use of vishing to compromise SSO credentials, and the ShinyHunters group has publicly claimed responsibility. The mapping to MITRE ATT&CK techniques is directly supported by the attack narrative and corroborated by expert analysis.

Affected Versions & Timeline

The breach affected Panera Bread’s customer data repositories, with no specific software versions or products identified as vulnerable. The attack exploited operational security weaknesses in the SSO authentication process rather than a software vulnerability.

The timeline of the incident is as follows: In January 2026, the ShinyHunters group breached Panera Bread’s systems, stealing approximately 14 million customer records. After an unsuccessful extortion attempt, the attackers publicly leaked a dataset containing 5.1 million unique records. Panera Bread confirmed the breach, notified authorities, and stated that the exposed data was limited to contact information. As of the latest reporting, no public notification to affected customers has been issued, and no regulatory filings or law enforcement advisories have been identified in the available sources (Security Affairs, February 2, 2026: https://securityaffairs.com/187556/data-breach/panera-bread-breach-affected-5-1-million-accounts-hibp-confirms.html?amp; Offseq Radar, February 3, 2026: https://radar.offseq.com/threat/hackers-leak-51-million-panera-bread-records-da8bcba7; Mashable, January 30, 2026: https://mashable.com/article/panera-bread-breach-shinyhunters-voice-phishing-14-million-customers).

Threat Activity

The threat activity in this incident centers on the use of vishing to compromise SSO credentials and gain unauthorized access to sensitive customer data. The ShinyHunters group targeted Panera Bread’s identity infrastructure by impersonating IT staff and convincing employees to enter their credentials into a phishing site. This allowed the attackers to capture valid login information and session tokens, which were then used to access customer data repositories.

The attackers initially attempted to extort Panera Bread by threatening to release the stolen data. When the extortion attempt failed, they published a 760MB archive containing 5.1 million unique customer records on their data leak site. The compromised data includes names, email addresses, phone numbers, home addresses, and account details. While some sources suggest the possible exposure of payment information, Panera Bread has confirmed that only contact information was involved (Security Affairs, February 2, 2026: https://securityaffairs.com/187556/data-breach/panera-bread-breach-affected-5-1-million-accounts-hibp-confirms.html?amp; Offseq Radar, February 3, 2026: https://radar.offseq.com/threat/hackers-leak-51-million-panera-bread-records-da8bcba7).

There is no evidence of active exploitation beyond the data leak, and no known malware or exploits in the wild have been reported in connection with this incident. The primary risk to affected individuals is the potential for identity theft, phishing, and social engineering attacks using the leaked personal information. The incident also poses reputational and regulatory risks for Panera Bread and organizations with business relationships or supply chain ties to the company.

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity:

Critical: Organizations should implement phishing-resistant multi-factor authentication (MFA) for all SSO and privileged accounts. This includes hardware security keys or app-based authenticators that are resistant to real-time phishing and vishing attacks.

High: Conduct regular security audits and penetration testing of systems handling sensitive customer data, with a focus on identity and access management infrastructure. Review and strengthen access controls to limit exposure in the event of credential compromise.

High: Provide comprehensive employee training on social engineering risks, including vishing and phishing, with simulated exercises to reinforce secure behavior and rapid reporting of suspicious activity.

Medium: Monitor for misuse of leaked data by tracking dark web and threat intelligence sources for signs of credential abuse, targeted phishing, or identity theft campaigns.

Medium: Review and update incident response plans to ensure timely notification of affected individuals and compliance with relevant data protection regulations, such as GDPR for organizations with European customers or supply chain partners.

Low: For organizations with supply chain ties to Panera Bread or similar entities, conduct due diligence on third-party security practices and require contractual security obligations related to data protection.

No specific software patches or fixes have been announced, as the breach resulted from operational security failures rather than a technical vulnerability (Offseq Radar, February 3, 2026: https://radar.offseq.com/threat/hackers-leak-51-million-panera-bread-records-da8bcba7).

References

Security Affairs, February 2, 2026: https://securityaffairs.com/187556/data-breach/panera-bread-breach-affected-5-1-million-accounts-hibp-confirms.html?amp

Offseq Radar, February 3, 2026: https://radar.offseq.com/threat/hackers-leak-51-million-panera-bread-records-da8bcba7

Mashable, January 30, 2026: https://mashable.com/article/panera-bread-breach-shinyhunters-voice-phishing-14-million-customers

MITRE ATT&CK T1566.004: https://attack.mitre.org/techniques/T1566/004/

MITRE ATT&CK T1078: https://attack.mitre.org/techniques/T1078/

MITRE ATT&CK T1556: https://attack.mitre.org/techniques/T1556/

MITRE ATT&CK T1110: https://attack.mitre.org/techniques/T1110/

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their supply chain and vendor ecosystem. Our platform enables continuous evaluation of third-party security posture, supports incident response workflows, and facilitates compliance with data protection regulations. For questions about this report or to discuss how our capabilities can support your risk management strategy, contact us at ops@rescana.com.