Notice: Please note any orders placed will be delayed due to the current Coronavirus outbreak.
Please only order if the item is not urgent as we are currently busy fulfilling laptop orders for the NHS.
×

Registration

Profile Informations

Login Details

or login

First name is required!
Last name is required!
First name is not valid!
Last name is not valid!
This is not an email address!
Email address is required!
This email is already registered!
Password is required!
Enter a valid password!
Please enter 6 or more characters!
Please enter 16 or less characters!
Passwords are not same!
Terms and Conditions are required!
Email or Password is wrong!

PaneraBread.com Leaks Millions Of Customers' Personal Data Bread Crumbs On The Internet

Panera Bread knows how to make a delicious sandwich, that is something we can confidentially say (The Italian is this editor's go-to item on the menu). Unfortunately, it might not be as good with security. Security researcher Brian Krebs with KrebsOnSecurity says Panera Bread's website leaked millions of customer records containing a plethora of personal information, with the data made available in plain text. Yikes!

The security breach compromised customer records containing names, email addresses, physical addresses, birthdays, and the last four digits of credit card numbers. That is the kind of information that can make identify theft a little easier, though fortunately no social security numbers were compromised (it would have been silly for Panera Bread to collect such information in the first place).


Source: KrebsOnSecurity

Panera Bread has more than 2,100 retail locations in the United States. The food chain allows customers to order items online at its website for pickup in one of its stores, or for delivery. That is all fine and dandy, but storing the information in plain text is a major no-no.

The breach was first spotted by Dylan Houlihan, a security researchers who notified Panera Bread about the customer data leak eight months ago. Mike Gustavison, Panera's director of information security, initially thought it was a scam and dismissed the tip. However, the information was validated a week later, prompting Panera Bread to work on a fix.

"Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database," Dylan Houlihan told KrebsOnSecurity.

Even worse is that the records can be indexed and crawled by automated tools relatively easily. And even though Panera Bread was aware of the issue since August of last year, "the flaw never disappeared," Houlihan said, adding that "checked on it every month or so because I was pissed."

Panera Bread's website was briefly taken offline yesterday after being contacted by KrebsOnSecurity. It appears that its customer records are no longer reachable. Even so, if you've registered and made a purchase on Panera Bread's website, keep an eye on your credit card statements for any foul play.

Thumbnail and Top Image Source: Flickr via Mike Mozart

').insertAfter(jQuery('#initdisqus'));
}
loadDisqus(jQuery('#initdisqus'), disqus_identifier, url);

}
else {
setTimeout(function () { disqusDefer(); }, 50);
}
}

disqusDefer();

function loadDisqus(source, identifier, url) {

if (jQuery("#disqus_thread").length) {
jQuery("#disqus_thread").remove();
}
jQuery('

').insertAfter(source);

if (window.DISQUS) {

DISQUS.reset({
reload: true,
config: function () {
this.page.identifier = identifier;
this.page.url = url;
}
});

} else {

//insert a wrapper in HTML after the relevant "show comments" link

disqus_identifier = identifier; //set the identifier argument
disqus_url = url; //set the permalink argument

//append the Disqus embed script to HTML
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = 'https://' + disqus_shortname + '.disqus.com/embed.js';
jQuery('head').append(dsq);

}

jQuery('.show-disqus').show();
source.hide();
};

function disqusEvent()
{
idleTime = 0;
}

Go to Source