IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand
International Women’s Day
346 opinions Read now

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Cinematic laptop warning faces hacker hands cloud data streams
#
CRM
#
Data Protection
#
Ransomware

Panera breach exposes 14m in wave of SaaS extortion attacks

Tue, 3rd Feb 2026
Author image
By Sofiah Nichole Salivio, News Editor

Panera Bread is facing fresh scrutiny from security experts after confirming a data breach that allegedly exposed information on around 14 million customers, in an incident linked by threat actor claims to the ShinyHunters group and a wider wave of SaaS-focused extortion attacks.

The US-based bakery and café chain has reportedly seen customer data advertised on criminal forums, including personal information that could support identity theft and fraud. The breach follows earlier security incidents at the company and a previous class-action settlement over alleged failures to protect consumer data.

Panera has confirmed the breach but has not publicly detailed the full scope of the incident or the initial intrusion vector. Security practitioners say the case reflects a shift in how threat groups target large organisations that depend on cloud-based applications.

Extortion trend

Cybersecurity specialists link the Panera incident with a broader pattern of attacks that focus on identity systems and software-as-a-service environments rather than traditional on-premise infrastructure.

"What's most noteworthy is that this isn't just a Panera problem. It's a very public example of an ongoing breach and extortion campaign where attackers go after high-profile organizations' SaaS tenants, extract high-value data (often PII), and then ransom it back using pressure tactics and "proof" samples. In the Panera case, a threat-actor claim ties to ShinyHunters and a large alleged dataset, which is consistent with the broader pattern we're seeing: Compromise identity access first, then pivot into cloud/SaaS systems where data concentration is highest (email/CRM/collaboration), and monetize through extortion rather than quietly stealing data and disappearing," said Cory Michal, CSO, AppOmni.

Security vendors and incident responders report that extortion crews now frequently advertise or leak sample data to increase pressure on victim organisations. They say this approach often includes direct contact with companies, demands for payment, and threats of publication on dedicated leak sites.

Identity-first attacks

Recent warnings from identity providers have focused on social engineering, session hijacking and multi-factor authentication fatigue as common tools for breaching single sign-on platforms. Security teams say this enables rapid access to a wide range of SaaS applications once an initial account is compromised.

"This aligns closely with Okta's recent warnings about vishing-driven SSO compromise targeting Okta, Microsoft, and Google. This "identity-first" tradecraft is what enables rapid access to downstream SaaS data stores for theft and extortion. Okta has described custom, real-time kits used during voice calls to capture credentials/session tokens and defeat non-phishing-resistant MFA across these major identity ecosystems. That's consistent with what AppOmni is seeing from extortion groups operating with distinct playbooks per IdP and then pivoting into SaaS tenants like M365, Google Workspace and Salesforce to export data," said Michal.

Penetration testers and advisers say attackers often spend more effort on manipulating staff than on exploiting software flaws. They view identity compromise as a pivot point into email, collaboration tools and customer databases.

Repeated compromises

Panera has faced criticism in the past over data exposure issues. Security practitioners say recurring incidents at large consumer brands highlight weaknesses in how enterprises manage identity and SaaS security across distributed operations and franchise structures.

"The big lesson is Panera's repeated compromises. The fact it's already had to settle class-action claims over alleged failures to protect consumer data show how difficult it is for large, distributed organizations to consistently operationalize SaaS and identity security at scale," said Michal.

Experts say many business units adopt cloud tools quickly, while security and governance processes often lag behind. They point to inconsistent access controls, excessive permissions, and unmanaged third-party integrations as common risks.

"Panera is a visible example of what extortion crews are doing broadly: Iterating quickly to compromise identity access, pivot into SaaS tenants where sensitive data lives, and monetize through theft and ransom. To avoid this fate, organizations need a mature SaaS security, identity, and Zero Trust program with phishing-resistant MFA, hardened helpdesk/enrollment workflows, continuous monitoring for abnormal SaaS access and bulk exports, and strict least-privilege and third-party/OAuth governance. These attackers will keep improving unless they're disrupted," said Michal.

Human factor

Consultants at NCC Group say techniques such as vishing and MFA fatigue are now common in intrusions against corporate IT environments. They report that staff often struggle to distinguish legitimate helpdesk requests from attacker prompts.

"We have seen effective social engineering persuade staff to provide their multi-factor authentication (MFA) details to attackers masquerading as their helpdesk, and MFA 'bombing' whereby the member of staff is inundated with MFA requests until they respond. Both versions allow the attacker to compromise an IT estate," said Tim Rawlins, Senior Adviser and Director, Security, NCC Group.

Rawlins said one response is clearer internal processes and repeated training that focus on the specifics of how staff should expect contact from IT support.

"The only counter to such attacks is better staff awareness and phishing-resistant MFA, such as FIDO keys along with effective processes. At NCC Group, we are regularly being asked to both test organizations with our social engineering specialists and provide staff briefings and advice such as:

"'Your helpdesk will never: Call your mobile or landline phone - they only use Teams messages (not calls), email or Slack. Ask for your password or MFA code Give you a password over the telephone Pressure you to make you act quickly Ask you to share personal information - they only need your employee ID and IT asset number etc (i.e. details which cannot be easily obtained by OSINT research) 'And if you do need to reset your password, there will be a three way video call between you, your line manager and the helpdesk, or you will have to go into the office.'" said Rawlins.

Customer fallout

Security advisers say the alleged theft of Panera customer details could expose individuals to fraud, phishing and longer-term misuse of data. They note that data sold on criminal forums often circulates for years after an incident.

"The Panera Bread data breach will be devastating for those affected. Not only do affected customers run the risk of identity theft, but we know that PII is sold on to other criminal groups on the dark web who will exploit victims through social engineering. The combination of PII that has been taken, if true, poses a real risk to the victims of this hack," said Ade Clewlow, Associate Director & Senior Advisor, NCC Group.

Clewlow said the case highlights gaps in how many organisations understand and manage their digital footprint.

"Once again, this hack shines a spotlight on the practices and policies of an organizations' IT security provision. We see, time and time again, corporate IT security teams who don't fully comprehend the capabilities of threat actors and fail to see their networks from a cyber criminal's perspective. This is key. If you don't know how they will attack, how can you set your defences?" said Clewlow.

"We also find IT security teams unable to explain how their network is configured, with little grasp of all their assets or their vulnerabilities with internet-facing technology. Again, if you don't know what you've got, how can you protect it? Doing the basics right will offer some resistance to cyber criminals, but we see far too many examples of companies failing to grasp the importance of keeping customer data safe. Without the right skills, investment and mindset from senior leadership, companies will continue to fall victim to cyber-attacks, with customers almost always feeling the pain," said Clewlow.

Related stories
Archipelo, Checkmarx tie dev context to app security
Ransomware attacks surge 50% as industrial firms hit hardest
Stolthaven expands Ultimo use to boost safety & AI
Agentic AI boosts elite cyber teams but hinders rookies
Where are the godmothers of AI in the tech industry?

Top stories

CIOs warn AI adoption is racing ahead of governance
Vertiv unveils compact double-stack busway for AI power
Tech & finance leaders call for real gender parity
Coruna exploit kit exposes risks for outdated iOS users
Distributors emerge as digital force in cloud & AI