ShinyHunters Claims Data Breaches at Panera Bread, CarMax, Edmunds, and More
The extortion group ShinyHunters has alleged large-scale data theft from multiple organizations, including Panera Bread, CarMax, and Edmunds, as part of a broader campaign targeting corporate credentials. According to claims reviewed by The Register and shared on the dark web, the group exfiltrated over 14 million records from Panera Bread including names, email addresses, phone numbers, and account details totaling 760 MB of compressed data. CarMax and Edmunds were also reportedly breached, with 500,000+ records (1.7 GB) and "millions" of records (12 GB), respectively, containing similar personally identifiable information (PII).
ShinyHunters stated it accessed Panera’s systems via a Microsoft Entra single-sign-on (SSO) code, while the CarMax and Edmunds breaches stemmed from earlier, unrelated intrusions. The group’s claims align with previous activity by Scattered Lapsus$ Hunters, a linked threat actor that posted CarMax data on a now-defunct leak site last fall, citing compromises in Salesforce environments.
The campaign extends beyond these three companies. Last week, ShinyHunters added Crunchbase, SoundCloud, and Betterment to its list of victims, claiming over 50 million records stolen in total. Access to Crunchbase and Betterment was reportedly gained through voice-phishing attacks targeting Okta SSO credentials, a tactic Okta warned about in recent advisories. Betterment confirmed an unauthorized intrusion on January 9, where attackers used social engineering to access third-party marketing platforms and send fraudulent crypto-related messages to customers.
Security researchers have observed the group’s expanding operations. Silent Push reported that ShinyHunters’ latest credential-stealing campaign targeted around 100 organizations in the past 30 days, though it remains unconfirmed how many attacks succeeded. Meanwhile, Mandiant is tracking a "new, ongoing ShinyHunters-branded campaign" leveraging voice-phishing to harvest SSO credentials.
None of the named companies Panera Bread, CarMax, Edmunds, Crunchbase, or Betterment have publicly responded to the claims. Microsoft and Google stated they had no indication their products were directly affected by the phishing campaign. The incidents underscore the growing threat of social engineering attacks bypassing multi-factor authentication (MFA) to compromise corporate systems.
Source: https://www.theregister.com/2026/01/27/shinyhunters_claim_panera_bread/
Panera Bread TPRM report: https://www.rankiteo.com/company/panera-bread
Edmunds TPRM report: https://www.rankiteo.com/company/edmunds-com
CarMax TPRM report: https://www.rankiteo.com/company/carmax-inc
"id": "panedmcar1769547392",
"linkid": "panera-bread, edmunds-com, carmax-inc",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '14 million records',
'industry': 'Food & Beverage',
'name': 'Panera Bread',
'type': 'Corporation'},
{'customers_affected': '500,000+ records',
'industry': 'Automotive',
'name': 'CarMax',
'type': 'Corporation'},
{'customers_affected': 'Millions of records',
'industry': 'Automotive',
'name': 'Edmunds',
'type': 'Corporation'},
{'industry': 'Technology (Business Information)',
'name': 'Crunchbase',
'type': 'Corporation'},
{'industry': 'Technology (Music Streaming)',
'name': 'SoundCloud',
'type': 'Corporation'},
{'industry': 'FinTech',
'name': 'Betterment',
'type': 'Corporation'}],
'attack_vector': ['Phishing (Voice-Phishing)',
'Exploitation of SSO Vulnerabilities',
'Social Engineering'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': ['14 million (Panera Bread)',
'500,000+ (CarMax)',
'Millions (Edmunds)',
'50+ million (Total Across All '
'Victims)'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, Account Credentials)',
'type_of_data_compromised': ['Names',
'Email Addresses',
'Phone Numbers',
'Account Details']},
'description': 'The extortion group ShinyHunters has alleged large-scale data '
'theft from multiple organizations, including Panera Bread, '
'CarMax, and Edmunds, as part of a broader campaign targeting '
'corporate credentials. The group exfiltrated over 14 million '
'records from Panera Bread, 500,000+ records from CarMax, and '
'millions of records from Edmunds, containing personally '
'identifiable information (PII). The breaches were reportedly '
'achieved via Microsoft Entra SSO code exploitation, earlier '
'intrusions, and voice-phishing attacks targeting Okta SSO '
'credentials.',
'impact': {'brand_reputation_impact': 'Potential Damage Due to Data Exposure '
'and Fraudulent Activities',
'data_compromised': 'Personally Identifiable Information (PII), '
'Account Details, Customer Records',
'identity_theft_risk': 'High (Exposure of Names, Email Addresses, '
'Phone Numbers, Account Details)',
'operational_impact': 'Unauthorized Access to Corporate Systems, '
'Fraudulent Customer Communications',
'systems_affected': ['Microsoft Entra SSO',
'Okta SSO',
'Salesforce Environments',
'Third-Party Marketing Platforms']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': ['Microsoft Entra SSO Code',
'Okta SSO Credentials',
'Voice-Phishing']},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, Data Theft for Sale on Dark Web',
'post_incident_analysis': {'root_causes': ['Exploitation of SSO '
'Vulnerabilities',
'Social Engineering '
'(Voice-Phishing)',
'Compromised Third-Party '
'Platforms']},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'The Register'},
{'source': 'Silent Push'},
{'source': 'Mandiant'},
{'source': 'Okta Advisories'}],
'threat_actor': 'ShinyHunters (linked to Scattered Lapsus$ Hunters)',
'title': 'ShinyHunters Claims Data Breaches at Panera Bread, CarMax, Edmunds, '
'and More',
'type': 'Data Breach',
'vulnerability_exploited': ['Microsoft Entra SSO Code',
'Okta SSO Credentials',
'Salesforce Environments']}