Three quick, plain-English security stories from the past week — focused on real-world consumer impact and what to do next.
1) Panera Bread breach: 5.1M accounts (not 14M) reportedly exposed
BleepingComputer reports that the breach data linked to Panera Bread appears to include about 5.1 million unique accounts (even though early headlines referenced 14 million “records”). The alleged ShinyHunters leak includes contact details like names, email addresses, phone numbers, and physical addresses.
- Why you should care: Exposed contact info makes targeted phishing and “account recovery” scams much more convincing.
- What to do: If you have (or had) a Panera account, change your password anywhere you reused it, and watch for “Panera support” emails/texts that try to push you to sign in via a link.
- Extra credit: Check if your email shows up on Have I Been Pwned and enable 2FA where possible.
Source: BleepingComputer (published 2026-02-02)
2) Exchange Online issue: legitimate emails mistakenly quarantined as phishing
Microsoft is investigating an Exchange Online incident where legitimate messages are being flagged as phishing and quarantined. That can mean real emails don’t arrive, or business-critical conversations stall without anyone realizing why.
- Why you should care: Email disruptions create openings for attackers (and mistakes) — especially when teams switch to “quick” alternative channels or resend sensitive info repeatedly.
- What to do: If you rely on Microsoft 365 email, keep an eye on your quarantine/junk folders, and make sure your team has a backup communications plan for time-sensitive approvals.
- Pro tip: Treat unexpected “please re-send” or “I can’t open your email” messages as potential social engineering, not just IT glitches.
Source: BleepingComputer (published 2026-02-09)
3) Substack: some users notified their email + phone number were exposed
The Verge reports that Substack notified some users their account email addresses and phone numbers were exposed in a security incident tied to unauthorized access to internal data (Substack says passwords and payment details were not affected).
- Why you should care: Phone numbers + emails are “starter fuel” for SIM-swap attempts, fake support texts, and highly personalized phishing.
- What to do: Be extra skeptical of unexpected Substack-related texts/emails. Don’t click account links from messages — navigate directly to the site/app.
- Harden your accounts: Use a unique password and enable 2FA wherever you can (especially on email accounts, which are the keys to most password resets).
Source: The Verge (published 2026-02-05)
— — —
If you want, reply with the three accounts you rely on the most (email, banking, and one social/app), and I’ll give you a prioritized 15-minute hardening checklist for each.
Update: Grandma’s Firewall 🛡️
This week’s simple rule: Never give a one-time code to anyone—ever.
Two scripts you can steal:
- “I don’t share codes. I’ll call the official number back.”
- “No problem—I’ll log in directly and handle it myself.”
Share this: If someone in your family falls for phone scams, send them this one rule. It prevents a shocking number of takeovers.
![Human In[Security] Die-cut stickers](https://humaninsecurity.com/wp-content/uploads/2026/01/die-cut-stickers-satin-6x6-front-697d1d26150e0-300x300.jpg)
![Human Network In[]Security Cotton Heritage MC1082 I Men's Premium Short Sleeve Tee](https://humaninsecurity.com/wp-content/uploads/2026/01/cotton-heritage-mc1082-i-mens-premium-short-sleeve-tee-vintage-white-front-697d1df2a58b4-300x300.jpg)
![Official Human In[Security] Unisex Hoodie](https://humaninsecurity.com/wp-content/uploads/2026/01/cotton-heritage-m2580-i-unisex-premium-pullover-hoodie-carolina-blue-front-697d24c26e85b-300x300.jpg)