As many as 37 million customer records were exposed thanks to a security vulnerability that Panera Bread chose to ignore for eight months. Credit: Mike Mozart Panera Bread’s website leaked millions of customer records in plain text for at least eight months, which is how long the company blew off the issues reported by security researcher Dylan Houlihan. Houlihan finally turned to Brian Krebs who ran with the story. From there, it turned into a real cluster flub.Houlihan shared copies of email exchanges with Panera Bread CIO John Meister – who at first accused Houlihan of trying to run a scam when he first reported the security vulnerability back in August 2017.According to Houlihan’s post on Medium, as well as one on Pastebin, the Panerabread.com website had an “unauthenticated API endpoint that allows anyone to access the following information about anyone who has ever signed up for an account to order food from Panera Bread: username, first and last name, email address, phone number, birthday, last four digits of saved credit card number, saved home address, social account integration information, saved user food preferences and dietary restrictions.”Exactly eight months after reporting the issue to Panera Bread, Houlihan turned to KrebsOnSecurity. Krebs spoke to Meister, and the website was briefly taken offline. Less than two hours later, Panera said it had fixed the problem. The company claimed to take “data security very seriously” and added “following reports today of a potential problem on our website, we suspended the functionality to repair the issue.” That might sound good except the security issue had been reported eight months before Krebs went public with the information, so it’s not like the problem was first known “today.”Even worse, within minutes of Krebs publishing the story, Meister also told Fox News, “Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.” Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was “discovered,” eight months after it was reported.— briankrebs (@briankrebs) April 2, 2018To that portion, Houlihan asked, “A company is incompetent enough to leave a gaping hole like this trivially open for eight months after initial notification, yet it’s competent enough to review it logs definitively within two hours of the publicity?”Panera Bread’s ‘fix’ wasn’t really a fixPlenty of people were poking around into the potential “fix” by then. Hold Security told Krebs that “Panera had basically ‘fixed’ the problem by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records.”After some more poking, Hold Security reported to Krebs that Panera didn’t just leak plain text records of 7 million customers; “the vulnerabilities also appear to have extended to Panera’s commercial division, which serves countless catering companies. At last count, the number of customer records exposed in this breach appears to exceed 37 million.”Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn’t extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site— briankrebs (@briankrebs) April 2, 2018At that point, Panerabread.com was taken offline and was still offline at the time of writing.Oh look, the guy my source initially notified at @panerabread EIGHT MONTHS AGO — their dir. of info security – was senior dir. of security operations at Equifax until 2013. Shocker. https://t.co/kLepEToKqr— briankrebs (@briankrebs) April 2, 2018You know how upsetting it is when a vulnerability is publicly disclosed before a company has time to resolve the issue? Yet Panera’s choice to be unresponsive to Houlihan’s disclosure of the security vulnerability is why some researchers won’t play this game and choose to disclose publicly.“Originally I was content to wait eight months for Panera to fix this on their own. But this is ridiculous,” Houlihan wrote. “I’m not going to stand for reporting that sweeps all of this under the rug. While Panera Bread’s website remains down due to several specific examples demonstrating the ‘resolution’ didn’t resolve anything, news reports are not updating this fact. Until we start holding companies more accountable for their public statements with respect to security, we will continue to see statements belying a dismissive indifference with PR speak.” Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe