Accounts Impacted: Approximately 5.1 million unique customer accounts
Breach Occurrence Date: December 2025
Added to Breach Breakdown: January 2026
The Panera Bread Breach: What Happened
Panera Bread, the popular US bakery-cafe chain with thousands of locations nationwide, suffered a major data breach in December 2025. The Panera Bread breach was carried out by the ShinyHunters hacking group, and it did not involve breaking through firewalls or cracking encryption. Instead, the attackers called a Panera employee on the phone, impersonated IT support, and tricked them into handing over a Microsoft Entra single sign-on (SSO) authentication code. That one phone call gave them access to Panera’s cloud systems and the customer data stored inside.
After gaining access, ShinyHunters extracted 14 million records and published a 760GB archive on their dark web leak site after Panera reportedly refused to pay a ransom demand. Independent security researchers later confirmed that while the Panera Bread breach archive contained 14 million records, the data mapped to approximately 5.1 million unique customers, with the rest being duplicates. Panera confirmed the incident to authorities, describing the exposed data as customer “contact information,” and stated that no financial data or login credentials were accessed.
Two class action lawsuits have since been filed in Missouri federal court. Notably, this is also not Panera’s first breach. The company suffered a separate significant data incident in 2024, raising serious questions about its commitment to protecting customer data.
What Data Was Exposed in the Panera Bread Breach
According to security researchers and the leaked dataset, the Panera Bread breach exposed the following customer information:
- Full names
- Email addresses
- Phone numbers
- Physical home addresses
- Internal account details
Panera confirmed that passwords, credit card numbers, login credentials, and financial information were not accessed in this incident. However, the combination of name, email, phone number, and home address exposed in the Panera Bread breach is more than enough for criminals to cause serious and lasting harm.
Why the Panera Bread Breach Is Risky
Even without passwords or financial data, the Panera Bread breach hands criminals a powerful toolkit. Specifically, your name, email, phone number, and home address together allow attackers to:
- Send highly convincing phishing emails that use your real name and reference your Panera account to steal login credentials or payment details from other platforms.
- Target you by text and phone call using your phone number for SMS scams and vishing attempts that sound legitimate because they already know your details.
- Show up at your door. Physical home addresses were exposed in the Panera Bread breach. In the wrong hands, this creates risks that go well beyond digital fraud.
- Build a fuller profile of you by combining this data with other leaked databases, making identity theft significantly easier.
- Flood your inbox with targeted spam and scam emails posing as Panera, delivery services, or loyalty program offers.
Furthermore, ShinyHunters is an active and aggressive group. The same vishing and SSO tactic used in the Panera Bread breach has hit over 100 organizations in 2026 alone, including SoundCloud, Betterment, and Crunchbase. As a result, this data is now in the hands of a well-organized criminal network with a proven track record of exploiting it.
What You Should Do Now If You Were Affected by the Panera Bread Breach
If you have ever created a Panera Bread account or used their loyalty program, your data may be affected by the Panera Bread breach. Therefore, act now and take these steps:
- Change your Panera account password immediately and update it on any other platform where you used the same one.
- Turn on two-factor authentication (2FA) on your email and any account linked to your Panera email address.
- Be alert to phishing emails and texts that reference your Panera account, loyalty points, or recent orders. Do not click any links. Go directly to Panera’s website instead.
- Watch for phone scams. Your phone number was exposed in the Panera Bread breach. Be skeptical of unexpected calls from anyone claiming to be Panera, your bank, or a delivery service.
- Consider placing a fraud alert with the major credit bureaus if you are concerned your information may be combined with data from other leaks.
- Switch to a secure, opt-in email service like OptMsg so that even when your email is exposed in a breach, criminals cannot reach your inbox.
How OptMsg Helps After the Panera Bread Breach
Your name, email, phone number, and home address were likely exposed in the Panera Bread breach. That gives criminals everything they need to target you by email, text, and phone. However, OptMsg gives you the tools to fight back:
- You decide who can email you. OptMsg’s patent-pending opt-in router technology means only people you approve can reach your inbox. Therefore, even if criminals have your email address from the Panera Bread breach, they cannot flood you with phishing attempts and scam emails.
- No password to steal. OptMsg does not rely on a password to protect your account. When breaches expose credentials from other platforms, attackers have nothing to exploit here.
- We don’t collect your personal data to sell to advertisers. Unlike “free” inboxes that profit from your information, OptMsg charges a small fee instead of treating you as the product.
- OptMsg does not scan your emails to sell ads. In short, your inbox belongs to you, not to advertisers or AI training systems.
Why the Panera Bread Breach Matters
The Panera Bread breach is a reminder that the most dangerous cyberattacks do not always involve sophisticated hacking tools. In this case, a single phone call was all it took to compromise 5.1 million customers. ShinyHunters did not crack any encryption or exploit a complex software flaw. They simply called an employee and asked for access.
Moreover, the Panera Bread breach is the company’s second major security incident in two years. That pattern matters. It shows that even after facing serious security incidents, companies do not always make the changes needed to stop the next one. As a result, the customers who trusted Panera with their personal information are the ones who pay the price.
The real problem, however, goes beyond the Panera Bread breach itself. Every time you hand your email address to a company, you are trusting that company to protect it. OptMsg breaks that dependency entirely. You control who reaches you, regardless of what any company does or does not do with your data.
Your Inbox. Your Rules.
Take control of your inbox today. Download OptMsg on iOS, Android, or use it on the web.
Helpful Links
- SecurityWeek: Hackers Leak 5.1 Million Panera Bread Records
- Malwarebytes: Panera Bread Breached by ShinyHunters
- The Register: ShinyHunters Claims Panera Bread in Alleged Data Theft
- OptMsg Security Solutions
Stay informed. Stay secure. OptMsg actively protects your email from data breaches and cyber threats. Our Breach Breakdown blog alerts you when companies expose personal information, so you can respond before criminals take advantage of it.
