/ BLAST RADIUS · WHY ARCHITECTURE MATTERS

Every recent breach has the same shape.

A vendor was holding decryptable data. Attackers reached it. The vendor sent a disclosure letter. The headlines used different names but the architecture was the same every time.

Koaich is built on the opposite trade-off: store as little as possible, decrypt none of it server-side. The blast radius of a breach against us is what the attacker could have learned from staring at our metadata. The content is somewhere else — on your device, sealed under keys we never see.

YOUR EXPOSURE TO THIS PATTERN — TAKE THE 60-SECOND SCORECARD→

/ THE PATTERN

Three properties show up in nearly every disclosure.

→The vendor was holding cleartext or decryptable data. Not just "encrypted in transit and at rest" — the vendor held the keys to decrypt. When the attacker got to the data, the keys came with it.
→Vendor-side tooling could read customer content. Support tools, analytics dashboards, internal queries. A compromised employee credential = a compromised customer record.
→Volume of stored data was the blast radius. The more the vendor accumulated, the more attackers walked away with. Data minimization wasn't the default.

/ RECENT EXAMPLES

Ten public-record breaches, same shape each time.

Each entry below cites the affected vendor's own disclosure. We're not naming anyone in the negative — these companies handled hard situations as well as their architecture allowed. The point is the architecture, not the company.

Ticketmaster · Live Nation

May 2024

560M user records

Live Nation Form 8-K · 2024-05-31 ↗

WHAT HAPPENED

Customer names, emails, phone numbers, addresses, and partial payment data exfiltrated through a third-party Snowflake instance.

PATTERN

Vendor stored extensive PII in a queryable cleartext warehouse. Credential compromise on the warehouse yielded everything.

WHAT KOAICH'S ARCHITECTURE CHANGES

We don't accumulate customer PII in a queryable warehouse. The minimum metadata we hold is what's needed to operate the service — no marketing profile, no transaction history available in cleartext.

AT&T

April 2024

~110M customers

AT&T official disclosure · 2024-07-12 ↗

WHAT HAPPENED

Call and text metadata — who called whom, when, for how long — for nearly every AT&T mobile customer over a six-month window, exfiltrated via a third-party Snowflake workspace.

PATTERN

Vendor accumulated detailed communication metadata in a warehouse. Credentials to the warehouse were the only barrier; once compromised, the metadata was cleartext.

WHAT KOAICH'S ARCHITECTURE CHANGES

We don't aggregate communications metadata across users into a centralized warehouse. Per-user operational records aren't usable as a population dataset.

Change Healthcare · UnitedHealth Group

February 2024

~190M people (UHG estimate)

UnitedHealth statement · 2024-10-24 ↗

WHAT HAPPENED

Health insurance records, medical claims, billing information, and personal identifiers exfiltrated by ALPHV/BlackCat ransomware.

PATTERN

Vendor stored sensitive medical records server-readable on infrastructure protected by traditional credentials. Ransomware operators reached the cleartext.

WHAT KOAICH'S ARCHITECTURE CHANGES

Documents and files in Koaich are encrypted on your device before they reach our infrastructure. A ransomware operator with full server access reaches ciphertext, not patient records.

MOVEit · Progress Software

May–June 2023

~95M individuals, ~2,700 organizations

Progress Software security bulletin · 2023-05-31 ↗

WHAT HAPPENED

Cl0p ransomware exploited a zero-day in MOVEit Transfer to exfiltrate files in transit through the managed-file-transfer service.

PATTERN

Files flowed through a vendor service that decrypted them in transit for processing. The decryption point was the breach point.

WHAT KOAICH'S ARCHITECTURE CHANGES

Files in Koaich are encrypted end-to-end. There is no point where the vendor needs to decrypt them to deliver them — they stay sealed from your device to the recipient's device.

23andMe

October 2023

~6.9M users

23andMe statement · 2023-12-01 ↗

WHAT HAPPENED

Credential-stuffing attackers logged into individual accounts and, via the 'DNA Relatives' feature, pulled genetic profile data on millions of users they were never authenticated as.

PATTERN

One vendor-side feature (cross-user matching) meant access to one account exposed data from many.

WHAT KOAICH'S ARCHITECTURE CHANGES

Per-vault key isolation means each vault has its own encryption boundary. A compromised credential opens what that credential was wrapped for — not your full history, not other people's data.

LastPass

August / November 2022

All customer vaults at the time of breach

LastPass incident summary · 2023-03-01 ↗

WHAT HAPPENED

Attackers exfiltrated backups of customer vaults. Vault contents were encrypted, but URL fields were stored unencrypted, and the strength of the master-key derivation depended on each customer's iteration count — old accounts had defaults far below the modern recommendation.

PATTERN

Vendor held a copy of the encrypted vault. Once exfiltrated, attackers could brute-force vaults offline at their own pace.

WHAT KOAICH'S ARCHITECTURE CHANGES

Vault keys derive on your device with parameters you don't choose downward. The recovery share lives on your other devices, not in our database. We don't hold a copy of your decryptable vault to lose.

Okta

October 2023

All Okta support customers

Okta security update · 2023-11-03 ↗

WHAT HAPPENED

Attackers accessed Okta's support case management system using stolen credentials and downloaded files including session tokens uploaded by customers debugging issues.

PATTERN

Vendor's internal tooling held customer-uploaded artifacts in cleartext. Internal tooling compromise = customer-data compromise.

WHAT KOAICH'S ARCHITECTURE CHANGES

Our internal support surface doesn't have access to customer content. There's no support engineer who can decrypt your vault — they have no key.

Twilio · Authy

August 2022 (and follow-up June 2024)

163 customers initially; 33.4M phone numbers in 2024 follow-up

Twilio Authy security alert · 2024-07-02 ↗

WHAT HAPPENED

Phishing attack compromised employee credentials and granted access to internal tools; in 2024, an unauthenticated endpoint enumerated registered phone numbers for the Authy app.

PATTERN

Vendor-side employee tooling and unauthenticated APIs both presented surfaces where customer identifiers existed in cleartext.

WHAT KOAICH'S ARCHITECTURE CHANGES

Authentication challenges in Koaich are signed by your authenticator (WebAuthn passkeys), not generated server-side. Our server never holds a one-time-code key it could leak.

Dropbox Sign (HelloSign)

April 2024

All Dropbox Sign users

Dropbox Form 8-K · 2024-05-01 ↗

WHAT HAPPENED

Attackers gained access to a Dropbox Sign production environment and exfiltrated customer email addresses, usernames, phone numbers, hashed passwords, and authentication tokens.

PATTERN

Vendor stored authentication tokens and user identifiers in cleartext in production. Compromise of production = compromise of every active session.

WHAT KOAICH'S ARCHITECTURE CHANGES

Our session model uses keys generated on your device. Tokens that authorise a session are tied to the device's keypair — exfiltrating our database doesn't yield reusable session credentials.

Mailchimp

January 2023

~133 accounts affected, content exposed

Mailchimp security notice · 2023-01-18 ↗

WHAT HAPPENED

Social-engineering of Mailchimp employees granted attackers access to internal customer-support tooling, including audience lists and marketing analytics for affected accounts.

PATTERN

Vendor-side support tooling could read customer content directly. Compromised employee = compromised customer data.

WHAT KOAICH'S ARCHITECTURE CHANGES

Our internal tooling cannot read customer content. A compromised Koaich employee gains the same level of access an external attacker would — ciphertext only.

/ THE THESIS

Minimize the blast radius. The math, not the policy.

We can't promise we'll never be breached. No vendor can. What we can change is what an attacker walks away with when it happens.

→You can't lose what we don't store. The minimum operational metadata is what we keep — sender, recipient handle, timestamp, size. Not the content. Not a marketing profile. Not behavior logs we don't need.
→You can't have stolen what no one can read. Everything that's sensitive — messages, documents, files, AI drafts — is encrypted on your device. Our database holds ciphertext under keys we never see.
→You can't be socially-engineered against if our staff has no access. Support tools, internal queries, analytics dashboards — none of them have a path to your content. Phishing a Koaich employee doesn't reach your data.

/ INTERACTIVE

See the simulator for your own stack.

Pick your workspace tool + a breach scenario; see what an attacker walks away with. Side-by-side with what the same scenario would cost on Koaich. ~30 seconds, no signup.

Open the simulator →

Designed for the next breach you'll read about.

Join the waitlist. We're onboarding in waves. Read the architecture if you want the technical detail, or take the exposure scorecard to see what your current stack reveals.