Panera Bread exposed the records of 37 million customers - including addresses and the last four digits of their credit card - on its website, a report has revealed.
The information, which also included names, email addresses, and birthdays, could have been breached for at least eight months, according to KrebsOnSecurity.
Investigative cybercrime journalist Brian Krebs found that these records were available in plain text from panerabread.com, which customers can use to order food online for delivery or pick-up.
Panera Bread exposed the records of 37 million customers - including addresses and the last four digits of their credit card - via its website, a report has revealed
Krebs said Panera Bread was informed of the breach back in August by security researcher Dylan Houlihan.
Houlihan shared emails with Krebs dated August 9, 2017 in which Panera's director of information security, Mike Gustavison, said the company was 'working on a resolution'.
But Houlihan said the flaw 'never disappeared'.
'I checked on it every month or so because I was pissed,' he told Krebs.
The journalist then found that customer records could still be easily indexed on the site with 'very little effort'.