Millions of Panera Bread customers may have had their personal data exposed by the fast-casual restaurant chain, according to security experts.
Until Monday, scores of customer information — including names, email addresses, home addresses, birth dates and final four credit card digits — was accessible as plain text on the company’s website, according to a report from security writer Brian Krebs. It’s not clear whether anyone actually accessed any of the data, which was supplied by customers who had made accounts for food delivery and other services.
The problem was first identified by security researcher Dylan Houlihan, who supplied Krebs with emails dating back to August 2017 that show Houlihan informing Panera’s information security director about the leak. “Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months,” Houlihan wrote in a Medium post.
Panera said the issue had been resolved and affected fewer than 10,000 customers in a statement provided to Fox News on Monday. “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” the statement reads.
Krebs, however, responded to that statement on Twitter, suggesting that the problem may have been much larger than Panera let on, and that vulnerabilities remained on the website. He estimates that as many as 37 million Panera members may have been caught up in the breach, even higher than his initial estimate of 7 million.
Panera later took its entire website down, and the problem appears to have been corrected. Representatives for the restaurant did not immediately respond to Fortune’s request for comment.