Do(ug)h! Half-baked security at Panera Bread spills customer data

After eight months of loafing, baguette biz finally rises to security obligations


The website for restaurant chain Panera Bread has made the personal information for customers' online accounts available for takeout since August last year, according to security researcher Dylan Houlihan.

The all-your-can-eat menu on its website offered online account holders' full names, home addresses, email addresses, dietary preferences, usernames, phone numbers, birthdays and the trailing four digits of saved credit cards to anyone able to construct a simple web query.

It's not clear whether anyone took advantage of this moveable data feast – no actual data theft has been alleged – but eight months after initially alerting the bread biz, Houlihan finally managed to get the culinary company to close its data buffet on Monday by publishing evidence of his findings on Pastebin and alerting the media.

Houlihan, tired of being ignored by Panera's security team, posted about Panera's unpalatable security on Medium, alongside screenshots of email correspondence with Panera Bread’s information security director, Mike Gustavison.

"Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months," Houlihan wrote.

Once reports about the issue started to appear, Panera Bread CIO John Meister attempted to minimize the data exposure by telling Fox News fewer than 10,000 accounts were potentially affected.

That figure prompted challenged by independent security reporter Brian Krebs, who put the number initially at 7 million and subsequently revised his estimate to 37 million.

Other security researchers have since chimed in to point out subpar settings affecting other parts of Panera's website.

Fetching millions of accounts via query could be a challenge if Panera used a more secure non-intuitive account numbering scheme.

But Panera implemented the opposite: an easily guessable account numbering scheme by which anyone with basic coding skills could hit the account API endpoint – https://delivery.panerabread.com/foundation-api/users/uramp/1234567 – and iterate through every database entry.

As the now removed Pastebin post explained, "Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you'd like, up to and including the entire database."

The Register asked Panera Bread for comment but we've not heard back. ®

Broader topics

Narrower topics


Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022