Reconnaissance
Targeting the "Repeat Offender"
ShinyHunters, a prolific cybercriminal group, identifies Panera Bread as a high-value "soft target" due to its history of unpatched vulnerabilities and previous settlements. Attackers identify Paneraâs reliance on Microsoft Entra single sign-on (SSO) as the primary gateway to their customer database.
Weaponization & Delivery
The SSO Vishing Campaign
Operatives initiate a "vishing" (voice phishing) campaign, posing as internal IT support staff to call Panera employees. Attackers deploy custom phishing kits designed to mirror legitimate SSO login pages and capture multi-factor authentication (MFA) tokens in real-time.
Exploitation & Installation
The Skeleton Key
Victims are tricked into entering credentials on the fake login pages, providing the attackers with both passwords and active MFA tokens. By stealing session tokens, ShinyHunters bypasses standard authentication controls, gaining persistent access that survives individual password resets.
Command & Control
Plaintext Plunder
Once inside the SaaS environment, attackers locate a database containing approximately 14 million records. Despite a 2018 breach involving the same issue, Panera is found to be storing this sensitive informationânames, addresses, and birthdaysâin unencrypted plain text.
Actions on Objectives
The Triple Strike Leak
After Panera refuses to pay a ransom or "cooperate," ShinyHunters leaks a 760 MB archive on their dark web leak site. Data for 5.1 million unique customers is exposed, leading to three class action lawsuits filed by the end of January 2026 alleging institutional negligence.
