Brian Krebs and I were both on the same mission today – to get Panera Breach to secure their customer data. I had been alerted to the situation by a reader who saw a paste explaining it all and revealing some customer data. Brian heard about it earlier from security researcher Dylan Houlihan, who had first notified Panera of the problem last year, he told Brian. Brian reports:
Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned.
The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com. The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery.
Read more on KrebsOnSecurity.com.