Panera Bread Data Breach Affects 5.1 Million Accounts, Not 14 Million Customers as Initially Reported

Initial reports suggested that a recent data breach at Panera Bread exposed around 14 million customer records. That headline number raised alarms—but it doesn’t tell the full story.

According to the data-breach tracking service Have I Been Pwned (HIBP), the incident actually impacted about 5.1 million unique Panera Bread accounts, not 14 million individual customers.

What Was Exposed

The leaked dataset contains email addresses along with related account details, including names, phone numbers, and physical addresses, tied to those 5.1 million accounts.

So where did the bigger number come from? The 14 million figure refers to total records, not people. Those records likely include duplicates or multiple entries for the same individual, which is why the number of affected customers is significantly lower.

Who Claimed Responsibility — and How It Happened

A well-known cybercrime group called ShinyHunters claimed responsibility for the breach. They reportedly released the data after an extortion attempt failed.

Investigators say the attackers gained access through a compromised single sign-on (SSO) system, part of a wider voice-phishing (vishing) campaign. This campaign has targeted identity and access platforms such as Microsoft Entra and Okta, among others.

How Panera Bread Has Responded

Panera Bread has not yet released a detailed public statement, but the company has acknowledged the breach to authorities. It has also stated that the exposed data involved contact information only, with no confirmation that financial details or passwords were compromised.

What This Means for Users

Even without financial or login credentials being exposed, personal contact details can still be valuable to attackers. Information like email addresses, names, phone numbers, and home addresses can be used for phishing, spam, or social-engineering scams.

If you have a Panera account, it’s wise to stay alert—watch for suspicious emails or messages and be cautious about unsolicited requests for information.

The Bottom Line

Yes, the breach affected millions of people—but the accurate number is about 5.1 million unique accounts, not 14 million separate customers. The higher figure reflects raw data records, not the true number of individuals impacted.