Crucially, Panera Bread didn't appear to be responsive to the problem. Houlihan notified the company about the problem in August 2017 and got a response promising that its team was "working on a resolution," but it didn't take down the info until KrebsOnSecurity got involved -- twice. In a statement, Panera Bread said it was still investigating the vulnerability but indicated that there was "no evidence" of either payment info or anyone accessing a "large number" of the accounts.

As such, you're probably not at risk if you signed up for a Panera Bread website account. However, this underscores a recurring problem with internet security: numerous companies have failed to encrypt data or otherwise abide by basic security policies. Although there's no guarantee that locking down data will prevent breaches, it beats welcoming thieves with open arms.