On August 2, 2017, security researcher Dylan Houlihan contacted Panera Bread to warn them that their customer loyalty website had a serious defect that allowed attackers to retrieve the names, email and physical addresses, birthdays and last-four of the credit cards for up to seven million customers.
Houlihan shared his findings in detail with Mike Gustavison, Panera’s head of information security, who initially dismissed them as a scam. On August 9, 2017, Gustavison acknowledged that the threat was real and told Houlihand they were “working on a resolution.”
As of yesterday — eight months to the day later — it wasn’t fixed. What’s more, the data (all stored in the clear) is easy for search engines to crawl and index, meaning it’s probably been inadvertently copied several times.
Security journalist Brian Krebs called them to ask them about this, and they took their website down and fixed it. Sort of. If you’re a Panera Bread customer, you can login with your account and access up to seven million other customers’ data.
Another data point exposed in these records included the customer’s Panera loyalty card number, which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer loyalty accounts.It is not clear yet exactly how many Panera customer records may have been exposed by the company’s leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million. It’s also unclear whether any Panera customer account passwords may have been impacted.
In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with Houlihan.
Panerabread.com Leaks Millions of Customer Records [Brian Krebs/Krebs on Security]