The fast-casual restaurant Panera Bread scrambled to takedown a portion of its site this week, eight months after it learned about the issue, that was leaking the personally identifiable information of millions of customers.

A slew of information belonging to customers who ordered through Panera's ordering portal at more than 2,100 retail locations in the U.S. and Canada was leaked through the site. The information contained customers' usernames, first and last names, email addresses, phone numbers, birthdays, addresses, and perhaps most serious, the last four digits of any saved credit card number they used.

Until it was taken down, the culprit, an unauthenticated API endpoint, could have allowed anyone to view the data, even if they had never ordered from Panera or set up an account.

Dylan Houlihan, the security researcher who uncovered the endpoint, first reported the issue to the company's Information Security Director, Mike Gustavison, last August. Houlihan was initially rebuffed but eventually was able to share his findings. After five days of radio silence Gustavison told the researcher Panera was "working on a resolution."

That resolution never came to fruition. Eight months after he reported the issue Houlihan reached out to both web security expert Troy Hunt and security reporter Brian Krebs to disclose the vulnerability.

It was only after Krebs published his blog on the issue that the company took its site offline for an hour to address the issue.

It's unclear exactly how many customers may be impacted. Krebs first suggested more than seven million customers may have had their information left out in the open. Researchers posited Monday that Panera’s commercial division, which services catering companies, was also affected. If true the number of breached customer records may hover somewhere around 37 million.

Krebs attributed the number after receiving links shared by Hold Security LLC, an Wisconsin-based security consultancy that assisted him in researching following last fall's Equifax breach.

Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site

— briankrebs (@briankrebs) April 2, 2018

In addition to the last four digits of a customers' credit card being leaked, customer account IDs were also prominently featured in the database. According to Houlihan, if an attacker wanted to, they could move laterally around the database, account number by account number, in order to gather information about a customer.