Panera Bread breach report for 8 months, leaked millions of customer records
Panera
Bread breach report for 8 months, leaked millions of customer records
Panera
Bread’s website leaked millions of customer records in plain text for at least
eight months, which is how long the company blew off the issues reported by
security researcher Dylan Houlihan.
Houlihan shared
copies of email exchanges with Panera Bread CIO John Meister – who at first
accused Houlihan of trying to run a scam when he first reported the security
vulnerability back in August 2017.
According to
Houlihan's post on Medium, as well as one on Pastebin, the Panerabread.com
website had an “unauthenticated API endpoint that allows anyone to access the
following information about anyone who has ever signed up for an account to
order food from Panera Bread: username, first and last name, email address,
phone number, birthday, last four digits of saved credit card number, saved
home address, social account integration information, saved user food
preferences and dietary restrictions.”
Exactly
eight months after reporting the issue to Panera Bread, Houlihan turned to
KrebsOnSecurity. Krebs spoke to Meister, and the website was briefly taken
offline. Less than two hours later, Panera said it had fixed the problem.
The company
claimed to take “data security very seriously” and added “following reports
today of a potential problem on our website, we suspended the functionality to
repair the issue.”
Even worse,
within minutes of Krebs publishing the story, Meister also told Fox News, “Our
investigation to date indicates that fewer than 10,000 consumers have been
potentially affected by this issue.
After some
more poking, Hold Security reported to Krebs that Panera didn’t just leak plain
text records of 7 million customers; “the vulnerabilities also appear to have
extended to Panera’s commercial division, which serves countless catering
companies.
You know how
upsetting it is when a vulnerability is publicly
disclosed before a company has time to resolve the issue? Yet Panera’s choice to be unresponsive to Houlihan’s disclosure of the security vulnerability is why some researchers won’t play this game and choose to disclose publicly.
disclosed before a company has time to resolve the issue? Yet Panera’s choice to be unresponsive to Houlihan’s disclosure of the security vulnerability is why some researchers won’t play this game and choose to disclose publicly.
Comments