Panera Bread had a flaw in its website that leaked customers' personal information over an eight-month period, a cybersecurity blogger reported.
Customers' names, email addresses, phone numbers, physical addresses, birthdays and the last four digits of credit cards were all exposed in the leak, according to a blog post by cybersecurity writer Brian Krebs.
Security researcher Dylan Houlihan told Krebs he contacted Panera Bread in August about the issue with its website but that the company did nothing about it until Krebs reached out to Panera Bread on Monday. The company took its website offline and told Krebs it fixed the issue.
The customer information came from people who signed up online for an account at panerabread.com to order food from the more than 2,100 locations in the United States and Canada.
The flaw also exposed customer loyalty card numbers, meaning scammers could potentially spend prepaid loyalty benefits, Krebs wrote.
An internal investigation by the company found that fewer than 10,000 customers were affected, Panera Bread chief information officer John Meister said in a statement to CNBC.
However, Krebs disputed that number, writing that sources indicated to him that the breach instead exposed more than 37 million customer records.
"Panera takes data security very seriously and this issue is resolved,'' Meister said in a statement. "Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved."
Panera is the latest large company to experience a data breach involving millions of customers, following the likes of Facebook, Uber, Yahoo and most recently Saks Fifth Avenue and Lord & Taylor.
Follow TODAY.com writer Scott Stump on Twitter.