A massive data leak at Panera Bread’s website ‘Panerabread.com’ was uncovered and not disclosed for eight months.
According to Brian Krebs report on Monday night, the leak exposed millions of customer records such as names, emails, physical addresses, birthdays and the last four digits of the customer’s credit card number. The customer records were exposed in plain text from the website.
The St. Louis-based company, Panera Bread, operates the website and more than 2,100 retail locations in the U.S. and Canada. The website is used to order online and pickup food at the restaurant.
A security researcher Dylan Houlihan first reported the website vulnerability and threat to Panera Bread back in August. However, Panera Bread did not fix the vulnerability until nearly eight months later and only after Brian Krebs contacted the company that the vulnerability still was not fixed.
Krebs said that “incremental customer numbers indexed by the site suggest that number may be higher than seven million.” In another update later Monday night, Krebs said further research by security experts revealed the leak was likely much larger than previously reported.
The breach could now impact 37 million customer records, to include Panera’s commercial division which serves countless catering companies as well.
Check out Krebs tweets and further blog post from Threatpost for more details and security researcher comments regarding the incident.