5.1 Million Accounts: What the Panera Breach Teaches About SSO Risk
February 3rd, 2026
❓What:
BleepingComputer reports that an intrusion attributed to the ShinyHunters group led to stolen user data being published after extortion failed.
The “14 million” figure referenced records, not unique people; Have I Been Pwned found ~5.1M unique email addresses/accounts in the leaked dataset.
Attackers claimed access via a Microsoft Entra SSO code as part of a broader voice-phishing (vishing) campaign targeting SSO accounts.
⚠️Impact:
Exposed data includes contact and account info such as names, phone numbers, and physical addresses tied to those ~5.1M unique emails.
The leaked archive reportedly also contained ~26,000 panerabread[.]com email addresses, suggesting employee data was included too.
Panera reportedly confirmed the breach to authorities and said the data involved was “contact information,” but (per the article) had not yet issued public breach notifications at the time of reporting.
💡Recommendations:
Tighten Conditional Access: impossible travel, device compliance, geo/IP restrictions, new-device challenges, session/token lifetime controls.
Monitor and alert on SSO anomalies: new device enrollments, unusual token grants, suspicious helpdesk resets, mass exports, and abnormal directory reads.
Harden the human layer: Train helpdesk/IT on vishing playbooks and add call-back + verification procedures for credential/MFA reset requests.
Read the full article HERE