Customer records leaked on Panera ordering website

  • Customer records leaked on Panera ordering website

Customer records leaked on Panera ordering website

Panera, also known as St. Louis Bread Company, reportedly leaked millions of customers records online according to a security company.

According to KrebsOnSecurity, security researcher Dylan Houlihan realized that the information was visible and easily accessible in plain text from Panera's site in August.

In a blog post from Monday, Krebs noted that the security flaw meant customers' names, emails, addresses, birthdays, and the last four digits of their credit card numbers were not safeguarded for almost the a year ago.

The formatting, which uses incremental unique identifiers, makes the data easy to scrape.

Panera Bread has been investing more in online ordering.

KrebsOnSecurity says Houlihan contacted Panera on August 2nd, 2017, and then again to follow up a week later. A message thread posted by Houlihan includes responses from the company indicating it was working to fix the problem.

"The flaw never disappeared", Houlihan told KresbsOnSecurity.

Other security researchers have since chimed in to point out subpar settings affecting other parts of Panera's website. reported that the website had leaked names, addresses and the last four digits of credit card numbers until yesterday. "Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved".

It's important to note that customer data was not hacked.

The Register asked Panera Bread for comment but we've not heard back.

Data belonging to millions of customers was exposed by Panera Bread for eight months, reports suggest.

Nearly minutes after this story was published, Panera gave a statement to Fox News (no link will be provided) downplaying the severity of this breach, stating that only 10,000 customer records were exposed.

However, within minutes of that claim it became apparent that the same vulnerability was *still* present on the website - and that the number of customer records exposed may total over 37 million.