ShinyHunters Called an Employee and Got 5.1 Million Panera Customer Records

A Phone Call Was All It Took

In late January 2026, the hacking group ShinyHunters posted a 760MB archive on their dark web leak site containing the personal data of millions of Panera Bread customers. The group claimed to have stolen 14 million records, though breach notification service Have I Been Pwned verified the dump contained approximately 5.1 million unique email addresses.

According to Google's Mandiant team, the attackers did not exploit a software vulnerability. They called an employee, impersonated a coworker, and convinced them to hand over single sign on authentication codes. That gave ShinyHunters access to Panera's cloud systems and Microsoft Entra identity services.

What Was Stolen

The leaked archive contains customer email addresses, full names, phone numbers, and physical addresses. While financial data and passwords do not appear to be included, the combination of name, email, phone, and address is exactly what attackers need to craft convincing phishing campaigns.

Security analysts warn that the stolen contact information will likely fuel phishing campaigns for months, potentially appearing completely unrelated to Panera. An attacker who knows your name, email address, phone number, and home address can impersonate your bank, your utility provider, or your employer with alarming credibility.

ShinyHunters' Growing Playbook

ShinyHunters attempted to extort Panera Bread before publishing the data. When those efforts failed, they released everything. This is a pattern the group has refined across a string of high profile breaches in 2026.

The same group used similar voice phishing tactics to breach Betterment, gaining access to 1.4 million investment accounts. They also targeted Crunchbase and SoundCloud. In each case, the initial access method was the same: a phone call to an employee.

The tactic works because single sign on systems concentrate access. Once an attacker has a valid SSO token, they do not need to crack passwords, bypass multifactor authentication, or exploit software bugs. They walk through the front door with legitimate credentials.

Why Voice Phishing Is So Effective

Email phishing has become well understood. Most employees know not to click suspicious links. But voice phishing exploits a different vulnerability: the human instinct to be helpful when someone calls and sounds like they belong.

ShinyHunters researches their targets. They know the internal language, the team structures, the systems in use. When they call posing as IT support or a colleague, the conversation feels natural. The employee being targeted has no reason to suspect anything is wrong because, from their perspective, they are simply helping a coworker with a login issue.

This is not a new technique, but it is becoming the dominant initial access method for data breaches in 2026. Traditional security tools like firewalls, endpoint detection, and email filters do not protect against a human being willingly providing access credentials over the phone.

Class Action Lawsuits Filed

Multiple class action lawsuits have been filed in U.S. federal court alleging that Panera Bread failed to adequately protect customer data. The lawsuits argue that Panera did not implement sufficient security training to prevent social engineering attacks, and that the company's response to the breach was inadequate.

For 5.1 million affected customers, the immediate risk is targeted phishing. If you have ever ordered from Panera online or through their app, your email address and personal details may now be in the hands of cybercriminals. Be skeptical of any unexpected emails, especially those that reference your name and appear to come from legitimate companies. Attackers using this stolen data will know enough about you to make their phishing emails look real.