The Panera Bread data breach has put millions of customers at risk after hackers stole personal information from the popular bakery-cafe chain.

A cybercriminal group known as ShinyHunters claimed responsibility for the attack, which occurred in January 2026.

The gang originally said it had stolen over 14 million records, but the breach notification service Have I Been Pwned confirmed that 5.1 million unique email addresses were exposed.

Many of those 14 million records appear to be duplicates tied to users who created more than one account. ShinyHunters leaked nearly 760 MB of stolen documents on its dark web site after Panera refused to pay a ransom.

How the Panera Bread Data Breach Happened

ShinyHunters gained access to Panera’s systems by stealing a Microsoft Entra single sign-on (SSO) code. This attack was part of a broader voice phishing campaign targeting SSO accounts at Okta, Microsoft, and Google across more than 100 high-profile organizations.

The group tricked employees into handing over login credentials through social-engineering phone calls paired with real-time phishing kits. Attackers posed as IT support staff and directed victims to fake login pages that captured passwords while bypassing multi-factor authentication.

The following types of personal information were stolen:

• Names
• Email addresses
• Phone numbers
• Home/physical addresses
• Account details

More than 26,000 panerabread.com employee email addresses were also found in the leaked files.

TROYPOINT Tip: Protect your identity and personal info from a data breach by using Aura Identity Theft Protection which is TROYPOINT’s recommended identity theft protection.

Aura Identity Theft Protection Review

Panera Bread’s Response

Panera has not yet filed formal breach notifications or issued a public statement. However, the company notified authorities and confirmed the attack, describing the stolen information as “contact information.”

This isn’t the first time the chain has faced a security incident. In March 2024, a ransomware attack triggered a nationwide IT outage and exposed employee records.

ShinyHunters has also been linked to attacks on Match Group (owner of Tinder and Hinge) and SoundCloud, which saw 29.8 million accounts compromised.

Final Thoughts

The Panera Bread data breach is another reminder that no company is immune to cyberattacks, and your personal information can end up on the dark web without warning.

Voice phishing campaigns like the one ShinyHunters used are growing more common, making it harder for even large corporations to defend against them.

For more details on this story, refer to the reports from BleepingComputer and The Register.

We want to know your thoughts. What do you think about this story? Let us know in the comment section below!

Be sure to stay up-to-date with the latest streaming news, reviews, tips, and more by following the TROYPOINT Advisor with updates weekly.