Panera Bread, Inc., a major US-based casual dining and bakery-café chain, is reported to have been the target of a data breach after the cybercrime group ShinyHunters claimed it leaked more than 14 million customer and employee records. The claim was posted on a dark-web forum by the group, which lists alleged victims of its data theft operations.
ShinyHunters is a financially motivated cybercriminal collective known for exfiltrating large volumes of personal and organisational information and publishing samples of the stolen material when ransom demands are not met. In its posting related to Panera Bread, the group included a compressed archive it said contains the data taken from the company’s systems. This archive reportedly amounts to about 19.5 GB of data representing approximately 14 million unique records.
Analysis of the sample data made available by the group suggests it includes personally identifiable information such as full names, email addresses, phone numbers, home addresses, and dates of birth for both customers and employees of Panera Bread. The leak reportedly reflects information collected through customer accounts and internal records rather than data that appears directly tied to payment card numbers or financial credentials. The exact scope and authenticity of the full dataset remain subject to ongoing review, and independent verification of the full claim has not been published.
Panera Bread, which operates more than 2 000 restaurants across the United States and Canada, has not issued a public disclosure confirming the breach or providing a detailed assessment of what may have been affected. The company was contacted for comment following the claim by ShinyHunters, but at the time of reporting, no comprehensive corporate statement had been released. The incident has drawn attention, given the scale of the data reportedly involved and the sensitivity of the types of personal information included.
Cybercrime analysts note that large-scale breaches of this kind can elevate the risk of phishing attacks, identity theft, and social engineering against the individuals whose information has been exposed. Unverified claims published by criminal groups often include only a subset of the alleged data as a preview to coerce victims into engaging with extortion demands. Organisations listed in such postings typically begin internal investigations and forensic analysis to confirm whether a breach occurred and to determine the appropriate incident response measures.
At present, details about how the alleged breach occurred, whether vulnerabilities were exploited or credentials compromised, and what actions Panera Bread is taking in response have not been made public. The situation remains under observation by cybersecurity specialists as the claim and its implications for affected individuals are further assessed.