The website "Krebs on Security," says Panera's site exposed the records of 37-million customers who ordered food on the company's website.
Krebs reports that anyone could search for customer information including phone number, email address, physical address or loyalty account number.
The Panera Bread company website has been leaking customer data since at least last August.
The company also claims that there is "no evidence of payment card information being accessed or retrieved".
He first learned about the apparent security breach Monday, but said that a fellow researcher noticed it in August. A shared a message thread between Houlihan and Mike Gustavison, Panera's director of information security, shows that Panera did eventually validate Houlihan's findings, saying the company was working on a fix.
According to Houlihan, the researcher checked for a resolution to the problem every month or so, but "the flaw never disappeared". But, instead, it seems as if the information is still available, but now you must first have a valid Panera Bread account to go through the steps of accessing the unsecured data. How do you feel knowing that your data has been exposed? According to Krebs, more than 7 million customer records could have leaked.
However, both Houlihan and Krebs noted that the data in question remained searchable and public on Panera's website.
Quartz has reached out to Gustavison and Panera (as well as Krebs and Houlihan) for comments and will update this piece as merited.
Meister, however, told FOX that the investigation found fewer than 10,000 consumers had been potentially affected.