Panera Bread has been ignoring a data breach that may affect millions of customers who placed online orders.
The vendor’s website has been accidentally leaking full names, email addresses, phone nu mbers, home addresses and last four digits of credit card numbers, according to security researcher Dylan Houlihan.
Houlihan says he repeatedly warned the company about the breach back in August 2017 but the vendor did nothing.
Houlihan wrote in a Medium post:
“Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months,”
The vulnerability itself involves an API in Panera’s website that can let developers pull customer information. But according to Houlihan, that same API is publicly available and requires no password to access. As a result, anyone could access the website’s customer database, and potentially mine the sensitive details.
After security reporter Brian Krebs reported on the breach, Panera fixed the problem. But the vendor appears to be downplaying the severity of the incident, telling Fox Business:
“Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue.”
However, Krebs and Houlihan estimate the number of affected consumers may easily cross into the millions. That’s because the vulnerable API in the Panera website stored customer IDs that reach over 7 million.
