Panera Bread breach report for 8 months, leaked millions of customer records
Panera
Bread breach report for 8 months, leaked millions of customer records
Panera
Breadโs website leaked millions of customer records in plain text for at least
eight months, which is how long the company blew off the issues reported by
security researcher Dylan Houlihan.
Houlihan shared
copies of email exchanges with Panera Bread CIO John Meister โ who at first
accused Houlihan of trying to run a scam when he first reported the security
vulnerability back in August 2017.
According to
Houlihan's post on Medium, as well as one on Pastebin, the Panerabread.com
website had an โunauthenticated API endpoint that allows anyone to access the
following information about anyone who has ever signed up for an account to
order food from Panera Bread: username, first and last name, email address,
phone number, birthday, last four digits of saved credit card number, saved
home address, social account integration information, saved user food
preferences and dietary restrictions.โ
Exactly
eight months after reporting the issue to Panera Bread, Houlihan turned to
KrebsOnSecurity. Krebs spoke to Meister, and the website was briefly taken
offline. Less than two hours later, Panera said it had fixed the problem.
The company
claimed to take โdata security very seriouslyโ and added โfollowing reports
today of a potential problem on our website, we suspended the functionality to
repair the issue.โ
Even worse,
within minutes of Krebs publishing the story, Meister also told Fox News, โOur
investigation to date indicates that fewer than 10,000 consumers have been
potentially affected by this issue.
After some
more poking, Hold Security reported to Krebs that Panera didnโt just leak plain
text records of 7 million customers; โthe vulnerabilities also appear to have
extended to Paneraโs commercial division, which serves countless catering
companies.
You know how
upsetting it is when a vulnerability is publicly
disclosed before a company has time to resolve the issue? Yet Paneraโs choice to be unresponsive to Houlihanโs disclosure of the security vulnerability is why some researchers wonโt play this game and choose to disclose publicly.
disclosed before a company has time to resolve the issue? Yet Paneraโs choice to be unresponsive to Houlihanโs disclosure of the security vulnerability is why some researchers wonโt play this game and choose to disclose publicly.
Comments