Panera revealed millions of customers’ information online for at least eight months before removing it from the bakery restaurant’s website on April 2, KrebsOnSecurity reported.


According to the report, Panera Bread, an American chain of bakery-café fast casual restaurants in the United States and Canada leaked the data of up to 37 million customers in a plain text format.

The information included names, email and physical addresses, birthdays and the last four digits of the credit card number of the customers who ordered for delivery of food on the company’s website.

The report said that a security researcher, Dylan Houlihan identified and alerted Panera about the leak as long ago as August 2nd, 2017. KrebsOnSecurity was alerted to the breach by Dylan Houlihan earlier today.

Panera Bread’s Chief Information Officer John Meister said that as per the company’s investigation, fewer than 10,000 consumers had been potentially affected by the matter and the company was working to complete the investigation process and move towards the correct direction.

“Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database,” Houlihan said. He stressed that the vulnerability never disappeared as he was checking it every month.

Panera said in a statement to KrebsOnSecurity that it gives priority to the data security and this problem is now fixed.

“Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” Panera stated.