An anonymous reader quotes a report from Krebs on Security: Panerabread.com, the website for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records -- including names, email and physical addresses, birthdays and the last four digits of the customer's credit card Number -- for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned. The data available in plain text from Panera's site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com. The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery. Another data point exposed in these records included the customer's Panera loyalty card number, which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer loyalty accounts. It is not clear yet exactly how many Panera customer records may have been exposed by the company's leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million. It's also unclear whether any Panera customer account passwords may have been impacted. In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with [security researcher Dylan Houlihan, who originally notified Panera about customer data leaking from its website back on August 2, 2017].
Read more of this story at Slashdot.