News of the data leak by Panera follows a data breach that exposed user names, email addresses and passwords of more than 150 million users of fitness tracking app MyFitnessPal that Under Armour owns.
A security flaw in Panera Bread's website has left "millions" of customers' information vulnerable to "anyone who knew where to look" for at least eight months, according to CNET. Thankfully, there was no payment information, but it would have been very easy for eavesdroppers to harvest the information and use it for identity fraud or spam campaigns.
The problem was first identified by security researcher Dylan Houlihan, who supplied Krebs with emails dating back to August 2017 that show Houlihan informing Panera's information security director about the leak.
I'm honestly getting sick of having to write these stories about data leaks and security breaches that divulge the information of massive amounts of people.
Another security company, Hold Security, also has issues with this whole incident, claiming that Panera is drastically downplaying the severity of this breach, saying that up to 37 million customers may have been affected, as opposed to the 10,000 customers Panera announced to Fox News. Krebs says Gustavison initially dismissed Houlihan's report as a scam, but later realized that something was in fact afoot.
KrebsOnSecurity says the company website was briefly taken offline after they spoke with Panera Chief Information Officer John Meister by phone Monday. Krebs noticed months later that the customer data was still accessible, something that Houlihan confirmed. It appears that its customer records are no longer reachable.
Panera later took its entire website down, and the problem appears to have been corrected.
The company said in a statement that following the reports, it made a decision to "shut down its website in order to fix any problem that may exist".