ADT Data Breach Exposes 5.5 Million Customer Records in SSO Attack Security and smart home provider ADT confirmed a data breach affecting 5.5 million customers after hacking group ShinyHunters compromised an employee’s Okta single sign-on (SSO) credentials through a voice phishing (vishing) attack. The breach, detected on April 20, exposed customer names, phone numbers, addresses, and in some cases Social Security and Tax ID numbers, though payment information remained secure. ADT responded by terminating the unauthorized access, launching a forensic investigation with third-party cybersecurity experts, and notifying law enforcement. According to Bleeping Computer, ShinyHunters gained entry via an ADT Salesforce account after obtaining the employee’s Okta login details through vishing a tactic also linked to the group’s recent Panera Bread breach. ShinyHunters, known for high-profile attacks on companies like Rockstar Games, Crunchyroll, and Bumble, has increasingly targeted SSO vulnerabilities. Okta recently warned about the rise of vishing attacks, which manipulate victims into divulging credentials over the phone. The breach highlights the growing risk of SSO-based attacks and the persistent threat posed by cybercriminal groups exploiting human and technical weaknesses in enterprise security.

Cyberattacks Target Bumble, Match, Panera Bread, and CrunchBase Several high-profile companies including dating platforms Bumble and Match, food chain Panera Bread, and corporate data provider CrunchBase were hit by cyberattacks, according to a Bloomberg News report on Wednesday. The incidents, confirmed by company spokespersons, varied in scope and impact. Bumble stated that the intruders did not access its member database, accounts, direct messages, or profiles. Similarly, Match Group, parent company of Tinder, reported that a limited amount of user data was affected, though login credentials, financial information, and private communications remained secure. CrunchBase disclosed that documents on its corporate network were compromised but contained the breach. Panera Bread confirmed an incident involving contact information and notified authorities. The attacks highlight ongoing cybersecurity risks across industries, with companies emphasizing containment efforts and minimal exposure of sensitive data. No further details on the attackers or their motives were provided.

ShinyHunters Claims Data Breaches at Panera Bread, CarMax, Edmunds, and More The extortion group ShinyHunters has alleged large-scale data theft from multiple organizations, including Panera Bread, CarMax, and Edmunds, as part of a broader campaign targeting corporate credentials. According to claims reviewed by The Register and shared on the dark web, the group exfiltrated over 14 million records from Panera Bread including names, email addresses, phone numbers, and account details totaling 760 MB of compressed data. CarMax and Edmunds were also reportedly breached, with 500,000+ records (1.7 GB) and "millions" of records (12 GB), respectively, containing similar personally identifiable information (PII). ShinyHunters stated it accessed Panera’s systems via a Microsoft Entra single-sign-on (SSO) code, while the CarMax and Edmunds breaches stemmed from earlier, unrelated intrusions. The group’s claims align with previous activity by Scattered Lapsus$ Hunters, a linked threat actor that posted CarMax data on a now-defunct leak site last fall, citing compromises in Salesforce environments. The campaign extends beyond these three companies. Last week, ShinyHunters added Crunchbase, SoundCloud, and Betterment to its list of victims, claiming over 50 million records stolen in total. Access to Crunchbase and Betterment was reportedly gained through voice-phishing attacks targeting Okta SSO credentials, a tactic Okta warned about in recent advisories. Betterment confirmed an unauthorized intrusion on January 9, where attackers used social engineering to access third-party marketing platforms and send fraudulent crypto-related messages to customers. Security researchers have observed the group’s expanding operations. Silent Push reported that ShinyHunters’ latest credential-stealing campaign targeted around 100 organizations in the past 30 days, though it remains unconfirmed how many attacks succeeded. Meanwhile, Mandiant is tracking a "new, ongoing ShinyHunters-branded campaign" leveraging voice-phishing to harvest SSO credentials. None of the named companies Panera Bread, CarMax, Edmunds, Crunchbase, or Betterment have publicly responded to the claims. Microsoft and Google stated they had no indication their products were directly affected by the phishing campaign. The incidents underscore the growing threat of social engineering attacks bypassing multi-factor authentication (MFA) to compromise corporate systems.

Panera Bread suffered a major data breach exposing sensitive customer information, including Social Security numbers, addresses, birth dates, and passcodes, from 73 million accounts (current and former customers). The breach occurred in two phases: March 30, 2024, and July 12, 2024, with hackers downloading data from a third-party cloud platform and leaking it on the dark web. The incident led to consolidated state and federal lawsuits, alleging negligence in cybersecurity measures. Customers faced risks of identity theft, fraud, and financial losses, with compensation claims categorized into tiers: up to $500 for ordinary losses (e.g., credit monitoring), $2,500 for time spent resolving issues, and $6,500 for documented extraordinary losses. The breach severely damaged customer trust and exposed the company to legal and reputational consequences.

The Washington State Office of the Attorney General reported that Panera, LLC experienced a cybersecurity incident on March 23, 2024, affecting approximately 811 Washington residents. The breach, identified as a ransomware attack, involved unauthorized access to files that included names and Social Security numbers.

Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants suffered a data breach incident. the breach compromised information including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number. The data was left exposed for at least eight months before it was yanked offline.