All Arlene Kaganove wanted was a free bagel on her birthday. It's the reason the woman signed up for the MyPanera Rewards card. But Arlene said she never anticipated what she got instead.
"Extortion letters," she said about the threatening emails she got that said someone had recorded her watching porn. "Which I find hilarious."
The letters demanded Arlene pay $1,400 in Bitcoin to get that recording and said they had seen her "…doing nasty things!"
Arlene wasn't worried because she knew if she had been watched, "They'd see this little old lady sitting there, cursing at the computer, 'cause it's not doing what I want it to do," she said.
The 86-year-old, who has two master's degrees in chemistry and a law degree, said she was not about to bite.
"This is the most bizarre thing I've ever seen," she said.
Arlene did have questions for Panera. The St. Louis-based company acknowledged in 2018 its website did leak customer data, a vulnerability called to its attention by a tech-savvy whistleblower. The leaked data included customer names, emails, physical addresses and birthdays. The company estimated fewer than 10,000 customers were affected but the whistleblower put that number as likely much higher.
Arlene said she believes that is how the extortionists found her. In their letters, they cite her user name and password – a unique combination she said she only used for that Panera account.
Panera told NBC 5 Responds in Chicago, "No MyPanera Rewards account passwords were exposed during the April 2018 incident. We also went over our forensic records from last year and confirmed that Arlene's account was not accessed improperly."
Arlene did not buy that explanation, but she also wasn't planning to buy any Bitcoin any time soon. She also wanted to make sure no one else fell for this X-rated scam.
"If they're sending six to me, obviously, they're sending a lot more out there to other people and I'm sure somebody is sending the money," she said. "So it ceased to be funny."
Panera said it never disputed the data was leaked through its site, an issue that has since been fixed. But the company also said its own internal probe found that customer passwords were not among the details exposed.
For her part, Arlene said after those six threatening emails, the scammers finally apparently got the message and left her alone.