The leaked data included names, emails, physical addresses, birthdays, and the last four digits of the customer’s credit card number, according to KerbsOnSecurity. To be clear, Panera wasn’t hacked. Its website had a flaw that allowed people with knowledge of the flaw to theoretically obtain the information of customers who had signed up to order food online from panerabread.com.
The flaw was first discovered eight months ago by security researcher Dylan Houlihan who immediately contacted Panera about it. At first, the company dismissed the researcher’s warning as a likely scam, but a week later told Houlihan it was working on a fix. However, eight months went by and Houlihan could see nothing had been fixed, which is when he presented his findings to KerbsOnSecurity. After the site ran the story, Panera took its website offline for a few hours and apparently fixed the data leak. However, it’s not clear why the leak hadn’t been fixed in the eight months prior that Panera knew about it. For its part, Panera told Fox News that only 10,000 customer records were exposed before the leak was fixed, though other security researchers say that millions of customers could have potentially been affected.