Panera Bread has found itself in the hot seat after allegedly sitting on a security vulnerability for at least eight months and not taking action.

According to a recent report from KrebsOnSecurity, the website for the American chain of bakery-café fast casual restaurants leaked millions of customer records including names, addresses, e-mail addresses, birthdays and even the last four digits of customers’ credit cards before it was taken down on Monday.

Exactly how many customers were affected isn’t known but according to Krebs and data shared by Hold Security, the number of customer records exposed appears to exceed 37 million. It was initially thought that only seven million or so customer records were exposed but further research has reportedly found that the vulnerability extends to Panera’s commercial division, one that serves many catering companies.

Security researcher Dylan Houlihan said he tipped Panera off about the leak on August 2, 2017.

Krebs reports that the data was available in plain text on Panera’s website and included records for anyone that signed up for an online account to order food. As of April 2, the leak hadn’t been addressed despite Panera’s director of information security, Mike Gustavison, relaying in August that they were working to resolve the issue.

Shortly after Krebs’ story was published, it was updated with the following statement:

Almost minutes after this story was published, Panera gave a statement to Fox News (no link will be provided) downplaying the severity of this breach, stating that only 10,000 customer records were exposed. Almost in an instant, multiple sources — especially @holdsecurity — pointed out that Panera had basically “fixed” the problem by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records (as opposed to letting just anyone with the right link access the records).

The offending site was briefly taken offline on Monday. It returned shortly after but is currently down again, likely in response to the far greater scope of the breach than initially suspected.

Lead image courtesy Joe Raedle, Getty Images