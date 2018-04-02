Panerabread.com Leaks Millions of Customers Records (krebsonsecurity.com) 27
An anonymous reader quotes a report from Krebs on Security: Panerabread.com, the website for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records -- including names, email and physical addresses, birthdays and the last four digits of the customer's credit card number -- for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned. The data available in plain text from Panera's site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com. The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery.
Another data point exposed in these records included the customer's Panera loyalty card number, which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer loyalty accounts. It is not clear yet exactly how many Panera customer records may have been exposed by the company's leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million. It's also unclear whether any Panera customer account passwords may have been impacted. In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with [security researcher Dylan Houlihan, who originally notified Panera about customer data leaking from its website back on August 2, 2017].
Pantera (Score:1)
Walk on home boy!
Four by four (Score:2)
I have the last four digits from one company, and the first four digits from another.
What are the odds of guessing the full number?
Re: (Score:1)
I have the last four digits from one company, and the first four digits from another.
The first four digits identify the issuing bank.
What are the odds of guessing the full number?
There are 16 digits, and you know 8, then that leaves 8. But only one in ten has a proper checksum, so there are 10^7 possibilities.
But Panera did not explain (Score:1)
Re: (Score:2)
They send me coupons for sandwiches. And probably sell my data to marketing firms, most likely for regional spending statistics.
Also with the account I can order online for pick up, and I get a free pastry sometimes (I think once a month?)
hah. (Score:2)
There's an entire industry based around exploiting these kinds of holes for financial gain.
panera, underarmour, zillow, trulia, dominos, wayfair etc etc. Track the sales/customer data, you have a very good idea of revenue numbers.
Security researcher though? Bleh.
Re: (Score:2)
Uh OOO! (Score:2)
They're gonna be toast!
Re: (Score:2)
They're gonna be toast!
Heyooohhh!
It'd be easier (Score:2)
Re: (Score:2)
I we just reported the 2 companies that didn't hand over our data.
Blockbuster and Funcoland.
Are you any safer w/o credit card #? (Score:3)
My first thought was that Panera doesn’t have my credit card number, since I’ve always used NFC payments (Apple Pay) there. But still - with physical address, email address, and birthday, it probably wouldn’t take much for a bad guy to bluff his way into any number of my other accounts and/or steal my mail to get any physically sent verification (like Citi uses).
If it were only a matter of some jerk getting into my Panera account... but that is the least of my worries.
Stop giving them personal information doofuses! (Score:2)
Oh for crying out loud! Why the heck would anyone give your name, email address, physical addresses, or birthday to Panera bread just to do an online order! These data breaches are bad, but I'm sick and tired of everyone giving away completely unnecessary information! If the cashier says "What's your zip code" you say "no thanks." If the grocery store wants you to give your name and phone number to get a discount card either lie, or don't get the discount. Enough is enough folks! My sympathy has run o
Re: (Score:2)
Re: (Score:2)
If you're ordering delivery, you're going to have a very interesting time getting your order without providing a physical address for it to be delivered to.