KrebsOnSecurity has discovered that Panera Bread left millions of customer sign-up records (possibly 37 million) in plain text on its website, including email addresses, home addresses, phone numbers and loyalty account numbers.
There was no payment info, thankfully, but it would have been patently easy for evildoers to harvest that information and use it as part of identity fraud or spam campaigns.
Crucially, Panera Bread didn't appear to be responsive to the problem. Houlihan notified the company about the problem in August 2017 and got a response promising that its team was "working on a resolution," but it didn't take down the info until KrebsOnSecurity got involved -- twice. In a statement, Panera Bread said it was still investigating the vulnerability but indicated that there was "no evidence" of either payment info or anyone accessing a "large number" of the accounts.