Data belonging to nearly 5.2 million Panera Bread customers has been leaked online, significantly widening the scope of a security incident originally reported in 2024. The breach data was recently indexed by the breach notification service Have I Been Pwned (HIBP), confirming the scale of the exposure.
While Panera initially disclosed a ransomware attack impacting internal systems, this new leak confirms that customer loyalty accounts were heavily targeted.
Breach Scope and Exposed Data
The leaked database contains sensitive personal and partial financial information. According to analysis by BleepingComputer and HIBP, the compromised data includes:
Personal Identity: Full names, physical addresses, and dates of birth.
Contact Info: Email addresses and phone numbers.
Loyalty Data: MyPanera loyalty program numbers and point balances.
Financial Data: The last four digits of credit card numbers.
Reports indicate that full credit card numbers and CVV codes were not present in the leak. However, the aggregation of physical location, contact details, and partial financial data poses a significant risk for social engineering attacks.
Discrepancy in Affected Numbers
This leak highlights a massive discrepancy between initial reporting and the actual impact.
March 2024: Panera experiences a widespread system outage caused by a ransomware attack.
June 2024: Panera files a data breach notification with the Office of the Maine Attorney General, estimating that roughly 14,000 individuals—mostly employees—were affected.
February 2025: Threat actors publish the data of approximately 5.1 million customers.
This development suggests that the initial forensic investigation failed to capture the full extent of the exfiltration, or that the scope of the theft was underestimated by the company.
Immediate Risks to Customers
The primary threat to affected customers is targeted phishing (spear-phishing) and smishing (SMS phishing). Attackers can use the specific combination of names, addresses, and last-four credit card digits to pose as bank representatives or Panera support agents.
Because the data includes loyalty program details, hackers may also attempt to drain accrued reward points or sell access to accounts with high point balances.
