Panera Bread Data Leak Persisted For Eight MonthsDatabase of Customer Information Left Exposed via Unauthenticated API Endpoint
Panera Bread acknowledged a data leak on Monday, but says fewer than 10,000 customers were affected. The leak appears to have persisted for at least eight months, despite the company having been warned about the problem last August. And the exposed database appears to have included information on more than 7 million customers, meaning the breach could be much larger than Panera Bread claims.
See Also: Dynamic Detection for Dynamic Threats
Information security blogger Brian Krebs reported that the leak's finder, security researcher Dylan Houlihan, recently alerted him to the problem. Krebs writes that after he contacted Panera Bread with an inquiry, the company briefly took its website offline, apparently to attempt to fix the problem.
The leaked data appears to include a raft of information, including names, usernames, email addresses, phone numbers and the last four digits of payment card numbers. The data, which comprises people who ordered online from the food chain, was visible in plain text.
A statement from Penera's CIO, John Meister, provided to Information Security Media Group states that the company takes "data security very seriously, and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved."
But the researcher who discovered the problem, along with Krebs, believes - despite Panera Bread publicly reporting that the leak has been fixed - that the data was still available for some length of time afterward. Krebs tweeted later on Monday that he found API issues on other subdomains within Panera Bread's website.
Panera Bread appeared to take its site completely taken offline later on Monday.
Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site— briankrebs (@briankrebs) April 2, 2018
The restaurant chain did not immediately respond to further queries from ISMG. But the cause of the leak that Houlihan discovered appears to be an unauthenticated API endpoint - essentially, one end of an application programming interface that provides access to web services - that was internet-accessible. If that was indeed the culprit, then it would count as being a very basic configuration error.
"A company can spend millions on the latest and greatest security technologies and have the most impenetrable defenses known to man," says Travis Smith, principal security researcher with Tripwire. "But when you leave the front door open, none of that will matter."
Fix Followed Eight-Month Delay?
After Krebs broke the story, Houlihan published his own account of how his breach notification process went down with Panera Bread. He says he first notified the company about the problem on Aug. 2, 2017.
Houlihan, who is the managing principal of the New York-based security consultancy Breaking Bits Security, continued to monitor whether the problem had been fixed. And after it went unresolved for eight months, Houlihan shared the details of the problem with Krebs.
Security researchers often complain that their findings are not acted upon quickly enough after they notify an organization about a leak or breach. In recent years, however, many organizations have clearly posted email addresses on their website for reporting any such flaws. An emerging norm among researchers has also been to give organizations 90 days to fix or acknowledge a flaw, before making the information public (see Google's Psychological Patch Warfare). In exceptional circumstances, such as the recent Meltdown and Spectre in CPUs, longer delays may be negotiated to give organizations more time to make essential fixes.
Third-party bug bounty programs are also helping to reduce the friction between researchers and organizations that need to fix flaws. Organizations are increasingly contracting with companies such as HackerOne and Bugcrowd to administer programs that reward independent security researchers for finding flaws.
Panera Bread does not appear to participate in any bug bounty programs. The company also does not seem to have been receptive to the heads-up from Houlihan that its website was leaking data, at least according to several exchanges that he published involving emails between himself and Mike Gustavison, Panera Bread's director of information security.
PGP Key Showdown
Gustavison initially dismissed Houlihan's email alert as being suspicious, saying it appeared to be a scam.
In return, Houlihan offered to send a sample of the leaked data to Gustavison, if he provided his PGP key. Gustavison wrote back that he would have recommended "a better approach as demanding a PGP key would not be a good way to start off." In a subsequent email, however, Gustavison said he didn't mean to offend, and that he appreciated the alert.
Houlihan writes that he's both submitted and responded to random security reports before. He says Gustavison's initial reaction was unwarranted.
"The response I received is not appropriate whatsoever," Houlihan writes. "There is never a reason to begin a conversation like that by being so defensive."
After Houlihan sent the details of the flaw and several follow-up emails, Gustavison told him on Aug. 9, 2017, that Panera Bread was "working on a resolution."
Terry Ray, CTO of the security firm Imperva, says Panera Bread may have failed to test the finding when it first received Houlihan's alert.
"They certainly appear capable of fixing the issue as they did quickly today, so why didn't it happen in August when they were first alerted?" Ray told ISMG on Monday.
Potentially Large Database
Krebs posted a redacted screenshot that includes some of the leaked data, which Houlihan had also posted to text-sharing website Pastebin on Monday in order to raise attention.
"I'd like to report a security vulnerability in Panera Bread's web application," Houlihan said in his Pastebin post. "There is a publicly available, completely unauthenticated API endpoint that allows anyone to access the following information about anyone who has ever signed up for an account to order food from Panera Bread."
The leaked data encompasses first and last name, email addresses, phone numbers, birthdates, the last four digits of card numbers, home addresses, social media account information, food preferences and dietary restrictions.
Knowing someone's phone number is enough to then look up the accompanying information in the database, Houlihan writes. The sample data posted include an account ID number of 7,382,194, indicating there could be more than seven million records in the database.
"Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can about someone, you can simply increment through the accounts and collect as much as you'd like, up to and including the entire database," Houlihan writes.
Busy Breach Week
Panera Bread's leak adds to what has been a busy week for publicly revealed breaches.
The department stores Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor suffered a breach starting around May 2017 that exposed 5 million payment card numbers, some of which are now appearing for sale on dark web marketplaces. Parent company Hudson's Bay Company confirmed the breach on Sunday.
The cybersecurity firm Gemini Advisory suspects the attack was carried out by the Carbanak gang, which security companies also refer to as Anunak, JokerStash and Cobalt (see Saks, Lord & Taylor Suffer Payment Card Data Breach).
Last week, meanwhile, the athletic apparel maker Under Armour said a hacker accessed the accounts of 150 million users, including hashed password, for its MyFitnessPal mobile app and website (see Under Armour Reports Massive Breach of MyFitnessPal App).
Executive Editor Mathew Schwartz contributed to this report.