In August 2017, security researcher Dylan Houlihan discovered that Panera Bread’s website had an unauthenticated API endpoint at panerabread.com that returned customer records in plaintext — accessible to anyone without authentication. The exposed data included names, email addresses, physical addresses, birthdays, last four digits of credit card numbers, and loyalty card information. Houlihan reported the vulnerability to Panera’s information security team on 10 August 2017 and received an acknowledgement. However, Panera failed to fix the vulnerability for 8 months. In April 2018, Houlihan contacted Brian Krebs after Panera still had not patched the endpoint. Krebs published the story on 2 April 2018. At the time of public disclosure, the API appeared to be exposing at least 37 million customer records (some estimates reached 37 million). The vulnerability was so simple that any user with a valid Panera account could iterate through customer IDs sequentially to extract all records. Panera Bread took the endpoint offline within two hours of Krebs’s publication. The 8-month delay from responsible disclosure to remediation drew significant criticism. The case became a high-profile example of poor vulnerability disclosure response by a major company and raised questions about the adequacy of Panera’s security response processes. Panera initially disputed the scale of exposure, claiming only 10,000 records were affected.