So what exactly did the hackers get? Every hack is different, but they almost definitely got your email address, user information, records of your activity on the site, and possibly much more damaging things. Good news, though: a lot of the most sensitive data was probably encrypted. There’s also a good chance it wasn’t encrypted, but let’s take the best-case data theft scenario: your information was stolen, but the sensitive stuff was encrypted with AES-256. How safe is it?
What does it mean for data to be encrypted?
“Encryption” in modern data security generally refers to key-based cryptography. In short, you input the data you want to encrypt and the key (a string of letters, numbers, and/or symbols) you want to use to encrypt it. The combination of these two things creates a jumbled mess that can only be decrypted if the appropriate key is used. It should not be confused with:
Encoding: Uses the same algorithm to both encode and decode data, no key required. This is like ASCII or Unicode – completely insecure. Hashing: One-way encryption process that produces the same result for identical input, but leaves very different results if the inputs vary even a little bit. This is typically used for password management with an algorithm like SHA-256 or bcrypt.
For example: The two main types of encryption are symmetric and asymmetric. Symmetric encryption can be decrypted using the same key that was used to encrypt it, while asymmetric encryption requires one key (the public key) to encrypt and another key (the private key) to decrypt. Most modern encryption is asymmetric, since having just one key for an entire database of information is very insecure.
How secure is encryption? Can it be cracked?
The short answer is yes: encryption can be cracked. A brute force approach, which basically involves making lots and lots of guesses until one turns out to be right, would certainly find the right answer, given enough time and computing power. Given our current capabilities, brute-forcing AES-256 could take up to 3 sexdecillion (3×1051) years, and similar numbers could be attached to many widely-used encryption algorithms. In the future quantum computers and other advances could significantly decrease how secure encryption actually is, but in the meantime it’s effectively impenetrable. But that doesn’t make encryption foolproof. Attackers are well aware that encrypted data is useless without keys, so what do they go after? The keys. The most catastrophic possible data breach is one in which the encrypted data and the decryption keys are stolen. If data security is being implemented correctly, the keys (multiple keys for different data, probably per user) will be securely stored in a separate location from the data and should probably be encrypted themselves. Additionally, the keys will need to be securely decrypted and fetched every time some data needs to be decrypted, so that attackers can’t intercept it. On top of all that, the keys should probably be changed on a regular basis. If the site your information got stolen from did all that, the attackers probably did not nab the keys, and your data is safe until the sun burns out or we invent much more powerful computers. But what are the odds that sites are actually doing this, and how much of your data is encrypted in even a best-case scenario?
Who encrypts and what’s being encrypted?
Remember that list of data breaches at the beginning of this article? Let’s check them out again. This list could get very, very long, but you get the idea: Basically, the only thing that’s being encrypted on most sites is your password (which is actually being hashed) and payment information. Unless it’s a site that deals with a lot of sensitive information or has a thing for high security, your data breach probably exposed a fair amount of your PII (Personally Identifiable Information). That’s mostly because encrypting and decrypting things takes a lot more computing power, time, effort, and money than just storing them in plaintext and serving them up to you directly. Even the encrypted stuff in these hacks wasn’t always safe, though. Yahoo and MyFitnessPal used bcrypt for their passwords, which is a strong encryption standard, but they were also using MD-5 and SHA-1 respectively, mostly for older accounts. These are much weaker hashing algorithms. MySpace just went with unsalted SHA-1 for everything, which makes sense, but also means that your password almost definitely got leaked. Yahoo also hasn’t been clear about whether they salted their passwords back in 2013 (they probably didn’t), which makes them pretty vulnerable to getting cracked. Marriott even lost 5.25 million plaintext passport numbers, which is not good. They clearly knew they should be encrypting them (20 million others were, after all) but dropped the ball on 20 percent of their customers. They also encrypted the credit card numbers: but aren’t sure if the hackers got the key or not. The moral of the story: most of your data is not encrypted, even the stuff you’d think really should be.
But my data was encrypted
Right, so you were using a website with fantastic security that encrypted every last bit of your information. Those do exist – a lot of file storage sites (Dropbox, Google Drive) will encrypt your files in their database, for example. If that’s the case, then as long as their key storage game was strong and their security experts did a good job working with the developers, odds are fair that your data will remain untouched until the heat death of the universe. The more likely scenario, though, is that a lot of your information was unencrypted, and even the sensitive information might have been badly hashed or encrypted with the key somewhere on the database or in the file system. There’s not much you can do about this since you need to give companies your data in order to use their services, but you can try to keep it to a minimum – and don’t reuse passwords! And don’t forget to check HaveIBeenPwned to see if your data has popped up in any breaches. Image credits: Public key encryption keys, Data Security Breach, Orange blue public key cryptography