The data breach notification service Have I Been Pwned says that a data breach at the U.S. food chain Panera Bread affected 5.1 million accounts, not 14 million customers as previously reported.

Founded in 1987, the company operates nearly 2,300 bakery-cafes across 48 U.S. states and in Ontario, Canada, under the names Panera Bread or Saint Louis Bread Co.

Have I Been Pwned's report comes after the ShinyHunters extortion gang claimed in late January that they had stolen a wide range of personally identifiable information (PII) and contact information for over 14 million Panera Bread user accounts. The cybercrime group has since leaked an archive of nearly 760 MB of documents on its dark web leak site, containing data stolen from Panera Bread.

"These files were leaked on the ShinyHunters DLS because the victim did not pay a ransom or cooperate and comply with the ShinyHunters group," the extortion gang says in a text file added to the leaked archive.

ShinyHunters told BleepingComputer that they gained access to Panera's systems via a Microsoft Entra single sign-on (SSO) code. The attack was part of a new ShinyHunters voice phishing (vishing) campaign targeting single sign-on (SSO) accounts at Okta, Microsoft, and Google across more than 100 high-profile organizations.

"In January 2026, Panera Bread suffered a data breach that exposed 14M records," said data breach notification service Have I Been Pwned over the weekend. "After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses."

While other news outlets have reported immediately after ShinyHunters claimed the attack that the breach affected 14 million Panera Bread customers, the extortion gang's website explained that that number refers to records stolen during the attack. According to BleepingComputer's count, these stolen records contain personal information for roughly 5,120,000 unique user accounts, which may represent fewer customers, since each affected individual may have used more than one account.

BleepingComputer also found more than 26,000 unique panerabread.com email addresses, likely belonging to Panera Bread employees whose PII was stolen in the breach.

While Panera Bread has yet to file data breach notifications or issue a statement about the incident, it has notified authorities and confirmed the breach, saying that "the data involved is contact information."

As part of the same series of vishing attacks, ShinyHunters has also breached the online dating giant Match Group, which owns multiple popular dating services, including Tinder, Match.com, Hinge, Meetic, and OkCupid.

Match Group has since confirmed that the attackers stole a "limited amount of user data" after ShinyHunters leaked 1.7 GB of compressed files allegedly containing internal documents and around 10 million records of Hinge, OkCupid, and Match user information.

Audio streaming platform SoundCloud also confirmed a ShinyHunters attack in December, following widespread reports of users encountering 403 "Forbidden" errors when connecting via VPN. The attack led to a data breach affecting 29.8 million accounts, as Have I Been Pwned revealed last week.

BleepingComputer reached out to Panera Bread with questions about the December 2025 incident, but a response was not immediately available.

Panera Bread also notified employees of a data breach in June 2024 after threat actors stole their personal information in a March 2024 ransomware attack that triggered a nationwide IT outage.