A hacking group ShinyHunters it’s here again.
In this case, customers of the Panera Bread bakery chain put their private data at risk. This appears to be part of a similar breach we reported on earlier this week, targeting Match Group users.
On their website earlier this week, ShinyHunters confirmed they were behind the Panera Bread data breach that led to the theft of more than 14 million customer records. Stolen information reportedly includes customer names, email addresses, phone numbers, home addresses, and account information.
Panera Bread has been around ever since confirmed data breach.
The company described the compromised data as “contact information” in a statement Bloomberg. Panera said it has since contacted law enforcement and taken steps to correct the incident.
“The Panera Bread data breach will be devastating for those affected,” said Ade Clewlow, director and senior advisor at the cybersecurity consultancy. NCC Group, in a statement to Mashable. “Not only are affected customers at risk of identity theft, but we know that PII [Personally Identifiable Information] it is sold to other criminal groups on the dark web to exploit victims through social engineering. The combination of PII taken, if true, poses a real risk to the victims of these hacks. “
Mashable Light Speed
As Register reported, ShinyHunters said they were able to access the Panera Bread website by using a Microsoft Entra single sign-on (SSO) code.
Okta, a platform that also provides companies with SSO codes, shared a warning just last week about new phishing campaigns being used by cybercriminals. In these attacks, the bad actor usually pretends to be an IT worker and calls their targets, asking them to enter their information on a phishing website made to look like an SSO platform. The fake page records what the target includes, providing login information to the bad actor.
“This aligns closely with Okta’s recent warnings about SSO compromises driven by phishing targeting Okta, Microsoft, and Google,” said Cory Michal, CSO in the security space. AppOmniin a statement to Mashable. “Okta has defined custom, real-time kits that are used during calls to capture information/time tokens and overcome phishing-resistant MFA across these large ecosystems.”
This is not the first time Panera Bread has experienced a major online security breach. Back in 2018, a cybersecurity expert reported that Panera Bread leaked millions of customers’ personal data. disclosed in plain text on its website.
“The biggest lesson is Panera’s repeated compromises,” Michal said. “The fact that class action lawsuits alleging failure to protect consumer data has to be resolved shows how difficult it is for large, distributed organizations to consistently operate SaaS and identity security at a high level.”
As for ShinyHunters, the hacking group is responsible for other recent data breaches involving Bumble, Match, and CrunchBase. The group also posted confidential data from previous breaches of car platforms such as CarMax, which an affiliate group known as the Scattered LAPSUS$ Hunters took credit for.
In a statement provided to Mashable, consultant and executive director of NCC Group Tim Rawlins urged companies to step up in this latest series of cyber security incidents.
“We’ve seen effective social media technology persuade employees to hand over their multi-factor authentication (MFA) credentials to attackers posing as their help desk, and MFA ‘bombing’ where a staff member is inundated with MFA requests until they respond. Both versions allow an attacker to breach legacy IT,” said Rawlins. “The only way to counter such attacks is better employee awareness and a more phishing-resistant MFA.”
