Data belonging to millions of customers was exposed by Panera Bread for eight months, reports suggest.
On Monday, security expert Brian Krebs reported that PaneraBread.com, the online domain for the US bakery and cafe chain, exposed customer records including names, email addresses, physical addresses, dates of birth, loyalty card numbers, and the last four digits of credit card numbers.
After being notified of the security breach by researcher Dylan Houlihan, Krebs found information relating to what may be close to -- or more than -- seven million customers was publicly available in plain text.
Customers that had signed up for an account to order food through the website may have been affected.
Houlihan said that Panera was originally notified back in August 2017. An email exchange between the security researcher and Panera director of information security Mike Gustavison suggests that the company had acknowledged the problem and was working on a fix.
However, eight months later, the data leak still existed.
To make matters worse, these records -- stored without any encryption in place -- could be indexed and crawled automatically, which would establish a treasure trove of information for threat actors.
The security issue, also published in detail on PasteBin, suggests that an unauthenticated API endpoint is at fault.
Not only could customer data be accessed if a visitor knew the correct link, but due to how the information was stored, it could be searched to find specific victims based on parameters such as phone numbers.
According to Houlihan, the researcher checked for a resolution to the problem every month or so, but "the flaw never disappeared."
See also: AVCrypt ransomware attempts to eradicate your antivirus
It seems it took the security hole becoming public for a resolution to appear.
The website was taken offline briefly on Monday and access to the customer data at the heart of the leak appears to have been locked down. At the time of writing, the website is now once again unavailable.
Panera told Krebs that the issue has been resolved and "there is no evidence of payment card information nor a large number of records being accessed or retrieved," however, the company later told Fox News that "fewer than 10,000 consumers have been potentially affected by this issue."