Description

National restaurant chain, Panera Bread, confirmed that it was the victim of a cyberattack that took place back in January of 2026. The attack was carried out by an active extortion group called ShinyHunters. While ShinyHunters initially claimed to have stolen 14 million customer records, independent security researchers estimate the actual breach compromised 5.1 million customers enrolled in the chain’s loyalty program. The compromised data included full names, email addresses, phone numbers, physical addresses, and other account details. Panera Bread has stated that no financial information was accessed in the attack. To prove the breach’s legitimacy, ShinyHunters published a 760GB archive of stolen data on its dark web site.

The attack was implemented by compromising a Microsoft Entra single-sign-on (SSO) code. Panera Bread is only one of multiple companies that ShinyHunters has attacked using a coordinated combination of phishing and vishing tactics. In each case, they create a spoofed SSO login page designed to mimic the organization’s legitimate authentication portal. The perpetrators then call employees pretending to be IT staff, who then convince them to enter credentials and MFA codes on the fake pages. Once the credentials are captured, ShinyHunters then tests the stolen credentials across various SaaS applications to determine which systems they can access.

Actions Taken

In response to the attack, Panera notified law enforcement and other authorities about the attack. They quickly implemented an investigation in which they identified an insecure API endpoint that was used to retrieve customer account records within a SaaS application. In addition, they have taken a series of technical migration steps, including

  • Updating of their authentication protocols
  • Applying rate limiting to API endpoints and implementing stronger encryption controls
  • Implementing or expanding continuous monitoring for unusual access patterns and bulk exports
  • Improving logging and anomaly detection of APIs

Prevention

The attack methodology used by ShinyHunters is an example of why security professionals encourage organizations to eliminate the use of SMS/voice-based MFA, as they are susceptible to vishing attacks.  Preferred MFA options include the use of FIDO2/WebAuth security keys or authenticator app number matching.

Another security control should be the implementation of conditional access policies. Such policies can limit or prevent SSO logins from unexpected geographic locations or untrusted networks. You can also limit sign-ins to managed or compliant devices. Organizations that use Microsoft Enterprise can also create risk-based policies that block sign-ins from accounts flagged as high-risk by Microsoft’s threat intelligence.

Given how common vishing and deepfake-style social‑engineering attacks have become, every organization should run regular security awareness training that focuses on recognizing suspicious calls, unusual identity‑verification requests, and other high-risk situations. Users should be instructed on how to verify the caller’s identity before sharing sensitive information or approving unusual actions. Regular simulated phishing and vishing campaigns can reinforce this training and help identify which employees or departments are most vulnerable so you can target additional coaching where it’s needed most.

 

Review Your AI  Security and Risk Posture

Review Your CoPilot Security Position

 

Read more AI (Artificial Intelligence) Risk Insights