Technology
Panera Bread data breach exposes 5.1M customers
NEWYou can now listen to Fox News articles!
Another major consumer brand has joined the growing list of companies hit by serious data breaches. Panera Bread has confirmed a cybersecurity incident after the hacking group ShinyHunters claimed it stole millions of customer records.
The breach exposes a wide range of personal details, raising real concerns for anyone who has ever placed an order, created an account or shared contact information with the popular bakery chain.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
SUBSTACK DATA BREACH EXPOSES EMAILS AND PHONE NUMBERS
Panera Bread confirmed a data breach after hackers claimed they stole millions of customer records containing contact information. (AP Photo)
What happened in the Panera Bread data breach?
ShinyHunters added Panera Bread to its data leak site earlier this year, initially claiming it had stolen more than 14 million customer records. According to the group, the stolen data includes names, email addresses, phone numbers, home addresses and account-related information.
Panera Bread has since confirmed a cybersecurity incident. In a statement to media outlets, the company described the exposed data as customer “contact information” and said it has contacted law enforcement and taken steps to address the incident. Panera has not shared technical details about how the attack occurred or whether customers need to take specific actions.
Even “contact information” can be dangerous in the wrong hands. When combined, these details can be used for identity theft, targeted phishing and highly convincing social-engineering scams.
ShinyHunters claims the attackers accessed Panera’s systems through Microsoft Entra single sign-on (SSO). While Panera has not confirmed that claim, it closely mirrors recent warnings from Okta about a surge in voice-phishing attacks targeting SSO platforms.
In these attacks, criminals pose as IT or helpdesk staff and call employees directly. They pressure targets to approve authentication requests or enter login credentials on fake SSO pages. Once attackers capture session tokens or credentials, they can bypass some forms of multifactor authentication and move laterally through company systems. This approach relies on human trust rather than technical exploits, making it increasingly effective.
How many people were actually affected?
At first glance, claims that 14 million customers were affected suggested an enormous breach. However, researchers at Have I Been Pwned? later clarified that the attackers stole 14 million records, not data tied to 14 million unique individuals.
After reviewing the leaked dataset, researchers now estimate the breach affected approximately 5.1 million unique people. The exposed information includes email addresses along with associated names, phone numbers, and physical addresses.
That distinction matters, but it does not eliminate risk. Once stolen data is released publicly, it can spread quickly across criminal forums and be reused for years.
149 MILLION PASSWORDS EXPOSED IN MASSIVE CREDENTIAL LEAK
The hacking group ShinyHunters leaked stolen Panera customer data online after an attempted extortion failed. (Panera Bread)
Hackers leaked the data after extortion failed
ShinyHunters reportedly attempted to extort Panera Bread before publishing the stolen data. When those efforts failed, the group released a 760MB archive containing millions of customer records on its leak site.
This reflects a broader shift in cybercrime. Instead of locking systems with ransomware, many groups now focus on quietly stealing data and threatening public exposure. These attacks are faster, harder to detect, and often just as profitable.
ShinyHunters has used similar tactics in other high-profile incidents involving Bumble, Match Group, Crunchbase and other consumer platforms.
Lawsuits filed after Panera breach disclosure
The breach has already triggered legal fallout. Multiple class-action lawsuits have been filed in U.S. federal court, alleging that Panera failed to adequately protect customer data.
The lawsuits claim Panera knew or should have known about security weaknesses and seek damages, improved security practices, and long-term identity theft protection for affected customers. Panera has not publicly commented on the litigation.
A troubling pattern for Panera Bread
This is not Panera Bread’s first major security lapse. In 2018, a cybersecurity researcher revealed that Panera had left millions of customer records exposed online in plain text. That incident later led to lawsuits and settlements.
Repeated breaches often point to deeper challenges. Large organizations can struggle to secure cloud services, identity systems, and employee access at scale. When attackers target identity platforms instead of infrastructure, a single mistake can expose millions of records.
We reached out to Panera Bread for a comment, but did not hear back before our deadline.
GRUBHUB CONFIRMS DATA BREACH AMID EXTORTION CLAIMS
Exposed contact details like names, emails, and addresses can fuel phishing scams and identity theft long after a breach becomes public. (Donato Fasano/Getty Images)
7 steps you can take to protect yourself following the Panera data breach
When a major consumer brand suffers a breach, customers often don’t realize the risk until weeks or months later. These steps help limit what attackers can do with your information if your Panera data falls into the wrong hands.
1) Use a strong, unique password for every account
If you ever created a Panera Bread account, reset its password immediately. If you reused that password anywhere else, those accounts are now at risk, too. Attackers routinely test breached passwords across email, shopping and banking sites.
A password manager helps by generating strong, unique passwords for every account and storing them securely so you never need to reuse credentials. Many password managers also alert you if your email or passwords appear in known data breaches, giving you an early warning to lock things down fast.
Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.
2) Enable two-factor authentication (2FA) wherever possible
Two-factor authentication (2FA) adds a second step to the login process, usually through an app or device you control. Even if someone gets your password through phishing or a breach, 2FA makes it much harder for them to access your account.
3) Be cautious of phishing messages
Cybercriminals often follow up breaches with fake emails or in-app messages pretending to offer help or security updates. Always double-check the sender and avoid clicking links. When in doubt, open the app or website directly rather than responding to the message. Using strong antivirus software adds another layer of protection by flagging malicious links and blocking known threats before they can do harm. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.
4) Limit the personal details you share
When names, email addresses, phone numbers and physical addresses are exposed, identity theft becomes a real risk. Identity theft-protection services monitor your personal information, alert you if it appears on the dark web, and watch for attempts to open new accounts in your name.
If something does go wrong, these services often include recovery support to help freeze accounts, dispute fraud, and guide you through the cleanup process.
See my tips and best picks on how to protect yourself from identity theft at Cyberguy.com.
5) Reduce your digital footprint with a data removal service
Scammers don’t rely on one breach alone. They combine leaked data with information from data broker sites to build detailed profiles. Data removal services help remove your phone number, home address and other personal details from hundreds of these sites.
While no service can erase everything, reducing what’s publicly available makes it much harder for criminals to target you with convincing scams or identity fraud. This is one of the most effective long-term ways to lower your risk after any major breach.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.
6) Secure your email account
Your email account controls password resets for most services. Protect it with a strong password and 2FA. Regularly review login activity and recovery settings, so attackers can’t use your email to take over other accounts.
7) Watch for account changes after breach news
Not every breach leads to immediate account takeovers. In some cases, attackers quietly test access weeks later. That is why staying alert after breach reports matters. Watch for password reset emails you did not request, profile changes you did not make, or new messages you did not send. Unexpected logouts or security alerts are also red flags. If you notice anything unusual, change your password immediately and review your security settings.
Kurt’s key takeaway
The Panera Bread data breach is another reminder that even familiar brands can become major cyber targets. While Panera says only contact information was exposed, that data is often enough to fuel scams and identity theft long after headlines fade. Staying proactive after breach news is now part of protecting your digital life.
Do you still trust large brands to protect your personal information, or have repeated breaches changed how much data you’re willing to share? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
Copyright 2026 CyberGuy.com. All rights reserved.
Android 17 is getting a dedicated gaming mode for foldables that will put a virtual gamepad with touch controls on half of your screen to theoretically make it easier to play games.
With foldable gaming mode, which is set to launch in the coming months, the virtual controller emulates physical button presses at a system level and is designed to work “with any game that supports physical controllers,” says Google’s Mishaal Rahman on Reddit. For the actual inputs, the virtual controller will have a D-pad; left and right virtual sticks; A, B, X, and Y buttons; L1, L2, L3; R1, R2, and R3; and a start button. And you’ll be able to configure the gamepad in several ways, such as keeping the virtual joysticks inline or staggered from each other, scaling the size of the buttons, and toggling haptics on or off.
Turning on the mode “is as simple as unfolding your device, either before or after launching a compatible game,” Rahman says. You can also choose to hide the gamepad, and if you connect a physical controller, the virtual gamepad will turn off on its own.
“Android allows you to play a wide variety of games on the go,” says Rahman. “While touch controls work incredibly well for many titles, certain games are better enjoyed with physical gamepads. The problem is that carrying a Bluetooth controller or a snap-on gamepad with you everywhere isn’t always convenient. We want to bridge that gap, and we’re addressing it with a new feature in the Android 17 platform release that’s specifically tailored for foldable devices.”
NEWYou can now listen to Fox News articles!
A letter arrives about a debt you don’t remember, from a company you’ve never dealt with, for an account you never opened. For a growing number of people, that notice is how they first learn someone used their identity.
Complaints to the Consumer Financial Protection Bureau (CFPB) about attempts to collect a debt not owed rose about 115% above their prior two-year average in 2025, and many of those consumers reported balances they didn’t recognize and suspected identity theft.
Before you panic or pay, it helps to understand why these letters show up and what rights you have.
WHY LAST YEAR’S BREACH IS THIS YEAR’S IDENTITY FRAUD
A collection letter for a debt you do not recognize can be the first sign that someone used your identity. (John Carl D’Annibale /Albany Times Union via Getty Images)
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
Why debt collectors contact you about a debt you do not owe
When a charged-off account is sold to a collection agency, the agency receives the original creditor’s application file, including whatever identifiers were used to open it. That contact information is often 90 to 180 days out of date by the time the account changes hands.
HOW SCAMMERS BUILD A PROFILE ON YOU USING DATA BROKERS
Before the first call, the agency runs skip tracing: matching a name, Social Security number (SSN) and past addresses against public records, postal change-of-address data, property and utility records and data-broker files to find the current person behind the account. At bulk volume, each lookup costs the agency pennies.
The agency then contacts you directly, by phone or mail, whether or not you have looked at your credit file.
How fake debt can start with identity theft
The account behind the notice may have been opened with your information pulled from breaches and resold, then approved by an automated check that matched the data to an existing file without confirming that the applicant was you. Opening a new account is the leading form of attempted identity misuse reported to the Identity Theft Resource Center (ITRC), which counted it more often than takeovers of accounts people already held. What happens after is less understood.
10 SIGNS YOUR PERSONAL DATA IS BEING SOLD ONLINE
Charged-off debts, including fraudulent ones, are sold in bulk portfolios for pennies on the dollar, often with thin supporting paperwork. One fraudulent balance can be sold and resold across several agencies. A debt you dispute and clear with one collector can be repackaged and reappear with another months later.
With medical debt, a bill can sometimes move toward collections before you see every explanation of benefits, insurance update or corrected statement. That is why you should contact the provider and your insurer before paying a collector.
What debt collectors legally have to tell you
Federal law gives you a defined response, and the clock starts at first contact. Under the CFPB’s Regulation F, a collector must send a validation notice describing the debt and your rights in, or within five days of, its first communication with you.
5 MYTHS ABOUT IDENTITY THEFT THAT PUT YOUR DATA AT RISK
You have 30 days from receiving that notice to dispute the debt in writing under the Fair Debt Collection Practices Act (FDCPA). Dispute inside that window, and the collector must stop collecting until it verifies the debt.
One important note: the FDCPA generally covers third-party debt collectors, not every original creditor. However, credit reporting laws, identity theft protections and state laws may still give you rights.
If the debt came from identity theft, send the collector an FTC Identity Theft Report from IdentityTheft.gov. Also, tell the collector in writing that you dispute the debt, that it resulted from identity theft and that you want it to stop reporting the account to the credit bureaus.
IS YOUR SOCIAL SECURITY NUMBER AT RISK? SIGNS SOMEONE MIGHT BE STEALING IT
Ask Equifax, Experian and TransUnion for a block under Section 605B of the Fair Credit Reporting Act (FCRA).
With a valid identity theft report and proof of your identity, the bureaus must block the fraudulent item within four business days. A block is harder to reverse than an ordinary dispute, which counts when the same debt can be resold.
The CFPB has said it may expand the meaning of identity theft under Regulation V to cover “coerced debt,” money run up in someone’s name without their consent, including in domestic and elder abuse cases.
What to do before you pay a debt collector
Before you send money or confirm any personal details, slow down and make the collector prove the debt belongs to you.
1) Ask for proof in writing
Do not pay, promise to pay or give out more personal information during the first call. Ask for the validation notice in writing and save every letter, voicemail and call log. Then send a written dispute within 30 days.
Fake debts can start with stolen personal information and then move from one collection agency to another. (PixelsEffect/Getty Images)
2) File an identity theft report if the debt looks fake
If you believe identity theft caused the account, create an FTC Identity Theft Report at IdentityTheft.gov. Send copies to the collector, the original creditor and all three credit bureaus. Also, place a fraud alert or credit freeze with Equifax, Experian and TransUnion, so it becomes harder for someone to open another account in your name.
3) Check medical bills before paying a collector
With medical debt, contact the provider and your insurer before paying a collector. Ask for an itemized bill and an explanation of benefits. A medical bill can end up in collections while paperwork, insurance reviews or billing disputes are still catching up.
4) Respond quickly if a collector sues you
If a collector sues you, do not ignore the papers. Respond by the court deadline or contact a consumer law attorney or legal aid group. Even a debt you do not owe can create bigger problems if you miss a court deadline.
Why early fraud alerts can save you money
Once a fraudulent account charges off and sells, cleanup gets harder. You may need to dispute the debt with the collector, the original lender and all three credit bureaus. If someone resells the debt, the same problem can come back months later.
YOU HAVE A CREDIT FREEZE. IT STILL ISN’T ENOUGH
Credit monitoring can help you spot a new account or hard inquiry before the debt reaches collections. That gives you time to contact the lender, dispute the account and freeze your credit sooner.
No service can prevent every account opened in your name. However, three-bureau credit monitoring can alert you when lenders report new accounts or hard inquiries. That can help you act before a collections notice arrives or a lender denies you credit.
See my tips and best picks on Best Identity Theft Protection at CyberGuy.com.
Kurt’s key takeaways
A collection letter for an unfamiliar debt deserves a closer look. It may mean someone opened an account in your name. Do not pay just to stop the calls. Ask for written validation and dispute the debt fast. If someone misused your information, file an FTC Identity Theft Report. Then freeze your credit and check all three credit reports. Early alerts can help you catch fraud before collections begin. That can save you money, time and stress.
Have you ever gotten a collection letter or call for a debt you knew you did not owe, and what did you do first? Let us know by writing to us at CyberGuy.com.
Before paying a collector, ask for written proof, dispute the debt and file an FTC Identity Theft Report if fraud is involved. (Daniel de la Hoz/Getty Images)
Sign up for my FREE CyberGuy Report
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
Copyright 2026 CyberGuy.com. All rights reserved.
RAMageddon has come for computers. The price of memory chips, hard drives, and solid state storage has skyrocketed. That’s led to price increases on desktop and laptop RAM, SSDs, spinning hard drives, and pretty much everything that uses any of those things. Consoles are more expensive. Desktops are more expensive. Laptops are more expensive. Tablets and phones are more expensive. Even MacBooks, which started out expensive but then started looking like a pretty good deal, just got more expensive.
All that sucks. But if (if) there’s a silver lining, it’s that most of the stuff you plug into a computer — keyboards, mice, webcams, monitors, and so forth — isn’t getting bananas expensive. Actually, there are some good deals out there.
Great keyboards on the cheap
Hot deals on mice in your area
Monitors to watch (get it?)
Cases and stands, hubs and docks, and other stuff
-
Miami, FL3 minutes ago2 detained after police pursuit ends with bailout, neighborhood search in NW Miami-Dade – WSVN 7News | Miami News, Weather, Sports | Fort Lauderdale
-
Boston, MA10 minutes agoDelta flight returns to Logan after smoke scare in cockpit – Boston News, Weather, Sports | WHDH 7News
-
Denver, CO13 minutes agoPat Surtain II Gets More Bad News Amid Broncos’ Uncertainty
-
Seattle, WA18 minutes agoThe World Cup 2026 Pride Match between Egypt and Iran that Seattle hopes can ‘unite football community’
-
San Diego, CA25 minutes agoCounty Leaders Still Eyeing County-Backed Tax Hike
-
Milwaukee, WI28 minutes agoWe must have answers before awarding new wastewater contract | Opinion
-
Atlanta, GA33 minutes agoSemi-truck, train collide in fiery crash in SW Atlanta
-
Minneapolis, MN39 minutes agoReform, money and trust: Council members’ key criteria for Minneapolis’ next police chief
