How Secure Is Your Stolen Encrypted Data?

Chances are that some of your data has been stolen. Ever use Yahoo? 3 billion Yahoo accounts were nabbed in 2013. Visit a Marriott hotel? 500 million Marriott accounts were stolen over four years, 2014 – 2018. Did you manage to somehow hang on to your old Hotmail address and edgy teenage spirit? 360 million MySpace accounts, hacked. Use MyFitnessPal? 150 million accounts.

So what exactly did the hackers get? Every hack is different, but they almost definitely got your email address, user information, records of your activity on the site, and possibly much more damaging things. Good news, though: a lot of the most sensitive data was probably encrypted. There’s also a good chance it wasn’t encrypted, but let’s take the best-case data theft scenario: your information was stolen, but the sensitive stuff was encrypted with AES-256. How safe is it?

What does it mean for data to be encrypted?

encrypted-data-encryption

“Encryption” in modern data security generally refers to key-based cryptography. In short, you input the data you want to encrypt and the key (a string of letters, numbers, and/or symbols) you want to use to encrypt it. The combination of these two things creates a jumbled mess that can only be decrypted if the appropriate key is used. It should not be confused with:

  • Encoding: Uses the same algorithm to both encode and decode data, no key required. This is like ASCII or Unicode – completely insecure.
  • Hashing: One-way encryption process that produces the same result for identical input, but leaves very different results if the inputs vary even a little bit. This is typically used for password management with an algorithm like SHA-256 or bcrypt.

For example:

MethodText
Encoding (ASCII, decimal)Keep it secret. Keep it safe.
Encryption (AES 256-bit)Keep it secret. Keep it safe.
Hashing (bcrypt)Keep it secret. Keep it safe.
MethodWith method applied
Encoding (ASCII, decimal)75 101 101 112 32 105 116 32 115 101 99 114 101 116 46 32 75 101 101 112 32 105 116 32 115 97 102 101 46
Encryption (AES 256-bit, key: Mellon)ddg18josC+1ouYRjv5CfPoo
jKJV+y3OLtxjIeCUsL+A=
Hashing (bcrypt, twelve rounds)$2y$12$3O1EiCPdVrqZFllHJ/
.q9eZzsyzqdmLMluqlQKO1A
NtlYMva94.nS
MethodDecrypted
Encoding (ASCII, decimal)Keep it secret. Keep it safe.
Encryption (AES 256-bit)Keep it secret. Keep it safe.
Hashing (bcrypt)Cannot be decrypted

The two main types of encryption are symmetric and asymmetric. Symmetric encryption can be decrypted using the same key that was used to encrypt it, while asymmetric encryption requires one key (the public key) to encrypt and another key (the private key) to decrypt. Most modern encryption is asymmetric, since having just one key for an entire database of information is very insecure.

How secure is encryption? Can it be cracked?

encrypted-data-breaking

The short answer is yes: encryption can be cracked. A brute force approach, which basically involves making lots and lots of guesses until one turns out to be right, would certainly find the right answer, given enough time and computing power. Given our current capabilities, brute-forcing AES-256 could take up to 3 sexdecillion (3×1051) years, and similar numbers could be attached to many widely-used encryption algorithms. In the future quantum computers and other advances could significantly decrease how secure encryption actually is, but in the meantime it’s effectively impenetrable.

But that doesn’t make encryption foolproof. Attackers are well aware that encrypted data is useless without keys, so what do they go after? The keys. The most catastrophic possible data breach is one in which the encrypted data and the decryption keys are stolen. If data security is being implemented correctly, the keys (multiple keys for different data, probably per user) will be securely stored in a separate location from the data and should probably be encrypted themselves. Additionally, the keys will need to be securely decrypted and fetched every time some data needs to be decrypted, so that attackers can’t intercept it. On top of all that, the keys should probably be changed on a regular basis.

If the site your information got stolen from did all that, the attackers probably did not nab the keys, and your data is safe until the sun burns out or we invent much more powerful computers. But what are the odds that sites are actually doing this, and how much of your data is encrypted in even a best-case scenario?

Who encrypts and what’s being encrypted?

encrypted-data-breaches

Remember that list of data breaches at the beginning of this article? Let’s check them out again.

BreachYearAffected recordsEncryptedNot encrypted
Yahoo2013/20143 billion– Hashed passwords (mostly bcrypt, some MD5)
– Some security questions
– Names
– Email addresses
– Phone numbers
– Birthdates
Marriott2014-20183-500 million– 8.6 million credit card numbers
– 20.3 million passport numbers
– Names
– Addresses
– Birthdates
– Gender
– Loyalty program data
– Reservation information
– 5.25 million passport numbers
MySpace2016400 millionPasswords (SHA-1, no salting)– Email addresses
– Usernames
MyFitnessPal2018150 millionPasswords (bcrypt, salted, and SHA-1)– Usernames
– Email addresses
– Passwords

This list could get very, very long, but you get the idea: Basically, the only thing that’s being encrypted on most sites is your password (which is actually being hashed) and payment information. Unless it’s a site that deals with a lot of sensitive information or has a thing for high security, your data breach probably exposed a fair amount of your PII (Personally Identifiable Information). That’s mostly because encrypting and decrypting things takes a lot more computing power, time, effort, and money than just storing them in plaintext and serving them up to you directly.

Even the encrypted stuff in these hacks wasn’t always safe, though. Yahoo and MyFitnessPal used bcrypt for their passwords, which is a strong encryption standard, but they were also using MD-5 and SHA-1 respectively, mostly for older accounts. These are much weaker hashing algorithms. MySpace just went with unsalted SHA-1 for everything, which makes sense, but also means that your password almost definitely got leaked. Yahoo also hasn’t been clear about whether they salted their passwords back in 2013 (they probably didn’t), which makes them pretty vulnerable to getting cracked.

Marriott even lost 5.25 million plaintext passport numbers, which is not good. They clearly knew they should be encrypting them (20 million others were, after all) but dropped the ball on 20 percent of their customers. They also encrypted the credit card numbers: but aren’t sure if the hackers got the key or not.

The moral of the story: most of your data is not encrypted, even the stuff you’d think really should be.

But my data was encrypted

Right, so you were using a website with fantastic security that encrypted every last bit of your information. Those do exist – a lot of file storage sites (Dropbox, Google Drive) will encrypt your files in their database, for example. If that’s the case, then as long as their key storage game was strong and their security experts did a good job working with the developers, odds are fair that your data will remain untouched until the heat death of the universe.

The more likely scenario, though, is that a lot of your information was unencrypted, and even the sensitive information might have been badly hashed or encrypted with the key somewhere on the database or in the file system. There’s not much you can do about this since you need to give companies your data in order to use their services, but you can try to keep it to a minimum – and don’t reuse passwords!

And don’t forget to check HaveIBeenPwned to see if your data has popped up in any breaches.

Image credits: Public key encryption keys, Data Security Breach, Orange blue public key cryptography

6 comments

  1. I wonder how secure was the data in Equifax databases.

    1. Unfortunately, it seems that they didn’t really encrypt anything–including one file full of passwords. Given the long list of other security failures, it’s not really surprising that they weren’t doing much to protect data.

      https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/

  2. Another whole matter is whether the encryption actually worked as expected. This is not an insignificant issue: NIST has reported that of encryption products submitted for their encryption validation checking program, about 80% did not pass. About half of these failures were due to relatively less important details, but about half did just get it wrong.

    1. Spot on. Even the best encryption standards can be undermined by faulty implementation.

  3. Very funny prase:
    “”so you were using a website with fantastic security that encrypted every last bit of your information. Those do exist – a lot of file storage sites (Dropbox, Google Drive) will encrypt your files in their database, for example.””

    That is, we have entrusted the sheep to a wolf in winter with heavy snow! I’m sorry, but I will not be able to. If I’m going to be hurt by someone, it’s better not to be these “wolves”.

    1. File encryption is actually one of the easiest things to fix–you can actually just encrypt the file yourself before you upload it to whatever service you’re using. If you give user data to a site, though, there’s not much you can do about their standards.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.