Slashdot Mirror
Panerabread.com Leaks Millions of Customers Records (krebsonsecurity.com)
An anonymous reader quotes a report from Krebs on Security: Panerabread.com, the website for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records -- including names, email and physical addresses, birthdays and the last four digits of the customer's credit card number -- for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned. The data available in plain text from Panera's site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com. The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery.
Another data point exposed in these records included the customer's Panera loyalty card number, which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer loyalty accounts. It is not clear yet exactly how many Panera customer records may have been exposed by the company's leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million. It's also unclear whether any Panera customer account passwords may have been impacted. In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with [security researcher Dylan Houlihan, who originally notified Panera about customer data leaking from its website back on August 2, 2017].
Another data point exposed in these records included the customer's Panera loyalty card number, which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer loyalty accounts. It is not clear yet exactly how many Panera customer records may have been exposed by the company's leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million. It's also unclear whether any Panera customer account passwords may have been impacted. In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with [security researcher Dylan Houlihan, who originally notified Panera about customer data leaking from its website back on August 2, 2017].
Walk on home boy!
'cause nobody made them. your data is your problem. not ours.
Does ANYONE know what they're doing with this sh!t?
Because at this point, all I can safely say is this: If it's online, it ain't secure... period. No matter who tells you it is, it ain't.
There's an entire industry based around exploiting these kinds of holes for financial gain.
panera, underarmour, zillow, trulia, dominos, wayfair etc etc. Track the sales/customer data, you have a very good idea of revenue numbers.
Security researcher though? Bleh.
They're gonna be toast!
I we just reported the 2 companies that didn't hand over our data.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
My first thought was that Panera doesn’t have my credit card number, since I’ve always used NFC payments (Apple Pay) there. But still - with physical address, email address, and birthday, it probably wouldn’t take much for a bad guy to bluff his way into any number of my other accounts and/or steal my mail to get any physically sent verification (like Citi uses).
If it were only a matter of some jerk getting into my Panera account... but that is the least of my worries.
#DeleteChrome
Easy, just call up the card owner, tell them you're from the bank and verify with the last four digits. They'll give it to you no problem!
Oh for crying out loud! Why the heck would anyone give your name, email address, physical addresses, or birthday to Panera bread just to do an online order! These data breaches are bad, but I'm sick and tired of everyone giving away completely unnecessary information! If the cashier says "What's your zip code" you say "no thanks." If the grocery store wants you to give your name and phone number to get a discount card either lie, or don't get the discount. Enough is enough folks! My sympathy has run out.
I keep saying, the following penalty scheme will clean up data breaches right quick:
$1 per name, email, physical address
$2 per phone number
$3 per credit card number
$4 per SSN
And multiply for combinations thereof. You'll see how fast companies move to secure their data.
But since you paid with Apple Pay, they've also got your Apple ID, and maybe even your phone number.
You don’t seem to know how Apple Pay works - neither piece of information is involved. Additionally, the bank holds any financial liability - not the consumer.
#DeleteChrome
Somebody could hack into my loyalty account and take the free cookie I am due with three more visits.
i wish i could mod you up, ran out of points. but your right. most credit card fraud is treated as shop lifting. so the store gets to deal with it.
Or just pay good, old-fashioned, cold, hard cash to a vendor that's not a large corporation. Call a restaurant for delivery or just pick up yourself.
... or close to localhost at least. I always wondered what they did with all the data I send by mistake to 12.7.00.1
NetRange: 12.7.0.0 - 12.7.0.7
CIDR: 12.7.0.0/29
NetName: PANERA-B13-0-0
NetHandle: NET-12-7-0-0-1
None.
Those of us who care about incidents like this are increasingly painted into a corner. The sheeple, on the other hand, just don't care. If they get a chance to trade their contacts list for 20 "reward points", they'll do it in a heartbeat. If you're on that list, too bad.
And companies like Panerabread continue to get away with this kind of nonsense.
Just once, I would love to see somebody whose family was affected by something like this put the entire lives of the offending corporation's board on-line. Names, addresses, tax returns, where their kids go to school...all of it. See how they like it when they face the same sort of exposure they inflict on others, with maybe a little interest added.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
The first 6 digits are the BIN range which identify the Card Type (first digit) and Issuing Bank (rest of the BIN). Those are not (by themselves) sensitive. The PCI specification states that the first 6 and last 4 digits of a PAN may be in the clear i.e. 5555 43** **** 3232 and that this has a difficulty of being guesses of 10^6 (due to Luhn check).
As long as the middle 6 are not exposed, then first 6/last 4 isn't a 'huge' concern from a card compromise perspective. It is however, a large risk from a social engineering perspective. An attacker could answer certain security questions and/or pretend to be someone who legitimately has that kind of information and convince people to think they are an appropriate organization to share further information with.
Get a life, not a lifestyle. - Hikem Bey
He was Chief Security Officer at Equifax until 2013.