[BreachExchange] Panera Bread left millions of customer records exposed on the web

Inga Goddijn inga at riskbasedsecurity.com
Tue Apr 3 09:25:35 EDT 2018


https://www.engadget.com/2018/04/02/panera-bread-left-millions-of-customer-records-exposed/

Add another big-name brand to the list of those who've left customer data
exposed online. Thanks to security researcher Dylan Houlihan,
KrebsOnSecurity has discovered that Panera Bread left millions of customer
sign-up records (possibly 37 million) in plain text on its website,
including email addresses, home addresses, phone numbers and loyalty
account numbers. There was no payment info, thankfully, but it would have
been patently easy for evildoers to harvest that information and use it as
part of identity fraud or spam campaigns.

Crucially, Panera Bread didn't appear to be responsive to the problem.
Houlihan notified the company about the problem in August 2017 and got a
response promising that its team was "working on a resolution," but it
didn't take down the info until KrebsOnSecurity got involved -- twice. In a
statement, Panera Bread said it was still investigating the vulnerability
but indicated that there was "no evidence" of either payment info or anyone
accessing a "large number" of the accounts.

As such, you're probably not at risk if you signed up for a Panera Bread
website account. However, this underscores a recurring problem with
internet security: numerous companies have failed to encrypt data or
otherwise abide by basic security policies. Although there's no guarantee
that locking down data will prevent breaches, it beats welcoming thieves
with open arms.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180403/22944eed/attachment.html>


More information about the BreachExchange mailing list