For at least eight months. Panera Bread, the baker and cafe chain, leaked sensitive customer data, which included names, birth dates, email and physical addresses, and the last four digits of credit cards–potentially giving hackers an easy score of valuable information. And that was despite having been warned about the issue.

The data was easily accessible on Panera’s website, according to Brian Krebs. “The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com,” writes Krebs in his blog KrebsonSecurity.

Krebs was contacted by a security researcher who first found the leak in August, after attempts to get Panera to fix the issue seemed to go nowhere.

As Krebs looked into the problem he found that the data could be indexed and crawled by automated tools. “For example, some of the customer records include unique identifiers that increment by one for each new record, making it potentially simple for someone to scrape all available customer accounts. The format of the database also lets anyone search for customers via a variety of data points, including by phone number,” explains Krebs.

Panera issued a statement saying it had fixed the problem within two hours of being contacted by Krebs. But, as Krebs pointed out, it’s unclear why the company didn’t address the leak when it was originally contacted by the researcher in August.

Krebs estimates that the number of customer records could be as high as seven million. However, after the story was published on KrebsonSecurity, Panera downplayed the incident to Fox News, saying only 10,000 customer records were exposed.

Get the full story at KrebsonSecurity.

• Breach Checklist

  Save Print Account Protection

  • 1. Use complex passwords Using “12345” as a password is like locking up your bike with dental floss.
    LastPass and 1Password can help generate secure passwords.
  • 2. Change your passwords frequently
    Changing your passwords regularly, like every month or even every week,
    can help keep hackers from accessing your account if they happen to get their hands on an old password of yours.
  • 3. Use two-step authentication
    Make sure to activate it on any website or app that offers it, and consider it a secondary wall in your digital fortress.