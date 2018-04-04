Panera Bread’s website has allegedly been leaking names, email addresses, physical addresses, birthdays, ordering habits, food preferences, and the last four digits of credit card numbers of customers who have used MyPanera or ordered food online over the past eight months, according to a report by KrebsOnSecurity.

Security researcher Dylan Houlihan claims he first reported the data leak to the fast-casual chain on August 2, 2017, but claims they disregarded his information as a scam, according to an email thread between Houlihan and Mike Gustavison, Panera’s Director of Information Security.

Houlihan told KrebsOnSecurity he checked on the site at least once a month after he notified the company, and for eight months they took no action to fix the leak. Then, after being notified again on Monday, Panera’s Chief Information Officer John Meister said they temporarily took their website offline to fix the issue.

The company released a statement to Fox News claiming only 10,000 customer records were exposed, but Hold Security, an information security and cyber investigations firm, reported to KrebsOnSecurity that they believe the actual number of people affected by this leak is nearly 37 million.

Panera customers have reacted to the breach on Twitter, with some people poking fun at the fact that their ordering habits could now possibly be available to the general public.

Oh god no. Never thought my #Panera order history would get out. I am deeply sorry for all the broccoli cheddar soup bread bowls I have hurt and I want my followers to know I will not run from this. https://t.co/0FscyCmH9I — Jonathan Wald (@ManVsWald) April 3, 2018

I never thought I would need financial protection from soup in a bread bowl. #panera — John Hersman (@UncoolJohn) April 4, 2018

Panera told KrebsOnSecurity in a written statement that they take “data security very seriously.”

“Our investigation is continuing,” the statement continued, “but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”