Let them eat sourdough: ShinyHunters claims Panera Bread as stolen credentials victim

Steven

Let them eat sourdough: ShinyHunters claims Panera Bread as stolen credentials victim

Summary

ShinyHunters claims it has stolen data from Panera Bread — reportedly more than 14 million records containing names, email and home addresses, phone numbers and account details (about 760 MB compressed). The gang also says it took data from CarMax (over 500,000 records, ~1.7 GB compressed) and Edmunds (millions, ~12 GB compressed). ShinyHunters told reporters it accessed Panera via a Microsoft Entra SSO code; other intrusions are said to stem from earlier, separate breaches.

Security firms and researchers, including Silent Push and Mandiant, say they are tracking a new, ongoing campaign where attackers use voice-phishing and real-time phishing kits to steal SSO tokens (Okta and Microsoft Entra have been mentioned). Affected companies have not all responded to enquiries; industry observers warn this technique bypasses MFA in real time by tricking employees into entering credentials on convincing fake login pages.

Key Points

  • ShinyHunters claims to have stolen ~14 million Panera records, plus significant data from CarMax and Edmunds.
  • The group alleges it accessed Panera via a Microsoft Entra single-sign-on (SSO) code.
  • CarMax and Edmunds breaches are claimed to be from earlier, unrelated intrusions.
  • Attackers are combining voice-phishing and live phishing kits to steal Okta/Microsoft SSO tokens and bypass MFA in real time.
  • Security firms (Silent Push, Mandiant) report a new, ongoing ShinyHunters-branded credential-stealing campaign targeting ~100 organisations.
  • Several victims have not publicly confirmed the incidents; independent researchers have reportedly validated some leaked datasets.
  • The campaign highlights the growing threat to SSO and the limits of MFA when combined with real-time social engineering.

Why should I read this

Look, if you care about customer data, identity management or the security of your workforce, this is the sort of mess you want to know about fast. It shows criminals are good at tricking people and stealing SSO tokens — which means MFA alone might not save you. Read the details so you can check your own SSO, helpdesk and anti-phishing controls before someone else finds the hole.

Author style

Punchy: this is a high-relevance alert for security teams and CISOs. The story links multiple alleged large-scale data thefts to a single social-engineering style campaign that targets SSO — that combination raises the stakes beyond a run-of-the-mill breach and is worth digging into for any organisation relying on centralised identity services.

Source

Source: https://www.theregister.com/2026/01/27/shinyhunters_claim_panera_bread/