Data linked to more than 5 million Panera Bread customers has surfaced online following a breach attributed to the ShinyHunters extortion group, after hackers failed to extract a ransom. The attackers claim to have stolen up to 14 million records, publishing a 760GB data archive on a Tor-based leak site. According to Have I Been Pwned, the exposed data includes 5.1 million unique email addresses, along with associated names, addresses, and phone numbers. Panera has acknowledged the intrusion, confirming that customer contact information was accessed, though it has not disclosed full technical details.

The attack did not rely on traditional software vulnerabilities. Instead, ShinyHunters reportedly compromised Microsoft Entra single sign-on (SSO) to obtain authentication codes, bypass MFA, and gain access to Panera’s cloud-based SaaS environment. This technique aligns with a broader campaign by the group, which has recently targeted multiple high-profile organizations across sectors. From a risk perspective, even “contact-only” data at this scale creates significant downstream exposure, enabling phishing, credential stuffing, impersonation, and account takeover attacks well beyond Panera’s ecosystem.

This incident reinforces the urgent need to unify identity-centric security with broader detection and response capabilities. Defending against SSO compromise requires consolidating identity threat detection, authentication telemetry, SaaS activity monitoring, endpoint and network signals, threat intelligence, and automated incident response into a single security platform like NIKSUN. By correlating SSO events, MFA challenges, anomalous login behavior, and data access patterns, organizations can detect abuse of trusted authentication flows earlier and shut down attacks before mass data exfiltration occurs. As identity becomes the new perimeter, security tool consolidation and unified visibility are critical to countering modern extortion campaigns. Read more about this story on our LinkedIn page