KoaichJoin waitlist
/ BREACH CATALOG · WHY THIS KEEPS HAPPENING

Every breach you've read about has the same root cause.

A small group of well-documented incidents — LastPass, Okta, Microsoft, the Snowflake-tenant cluster, Slack. You've probably read headlines about most of them. What the headlines don't say is that they all happened for one of five reasons, and four of those reasons are the same architectural choice: the vendor was holding a copy of the customer's data they could read.

IN PLAIN ENGLISH

Imagine you put your most sensitive documents in a locker at a storage facility. There are two kinds of facility: one where the staff has a copy of your locker key (so they can let in a plumber, or respond to a court order, or accidentally let an intruder in if they get fooled). And one where they don't — they just rent you the locker; only you can open it. Almost every workspace tool you use today is the first kind. Every story below is what happens when the first kind of storage gets robbed.

Not fear-mongering. Most of these vendors handled the incident competently after the fact. The point is that the same shape of incident keeps happening — and there's a different shape of system (the second kind of facility) where the same incidents are bounded by mathematics, not by the vendor's response.

The five patterns

Every workspace incident below falls into one of these five architectural patterns. The pattern is what made the incident possible — the cryptography (or lack of it) at the vendor side is the bound on the impact.

Vendor-held keys

2 INCIDENTS

The vendor was holding decryptable copies of customer secrets. Attacker breach yielded the keys + the data; cryptography didn't bound the exposure.

Vendor-side cleartext

1 INCIDENT

The vendor's runtime services hold customer content as cleartext to operate. Attacker access to those services yielded readable customer data directly.

Third-party auth compromise

2 INCIDENTS

The vendor's identity provider or auth-adjacent third party was breached; downstream customer accounts inherited the trust failure.

Downstream vendor data

1 INCIDENT

A data-warehouse or cloud-service vendor holding customer data on behalf of many downstream tenants was breached; every tenant's data was exposed at once.

Insider threat

0 INCIDENTS

A vendor employee with legitimate admin access abused their position. The cryptographic boundary didn't exclude that role from cleartext access.

Incidents, newest first

Snowflake-cluster credential reuse: tens of millions of records per tenant

Snowflake-downstream (AT&T, Ticketmaster, Santander, others) · 2024-05
DOWNSTREAM VENDOR DATA

Snowflake is a service big companies use to store their customer data. Hackers got the login passwords for about 165 of Snowflake's customer accounts that didn't have two-factor auth turned on. With those passwords, they walked in and copied huge customer databases. AT&T lost 110 million call records. Ticketmaster lost 560 million customer accounts. Snowflake itself wasn't broken into; the customers' passwords were. But once an attacker had a valid login, all the data was sitting there as plain readable rows.

+ Show technical detail

Attackers used credentials harvested from infostealer malware to access ~165 Snowflake-tenant accounts that lacked MFA. Downstream impact: AT&T (110M call records), Ticketmaster (560M accounts), Santander, LendingTree, and others. Snowflake itself wasn't breached — customer-managed credentials were.

WHAT WAS EXPOSED

Customer records held by Snowflake on behalf of dozens of major downstream tenants. The data was readable to anyone with valid Snowflake credentials because Snowflake's customer environments hold cleartext.

KOAICH DELTA

Koaich does not hold cleartext customer content. A breach of credentials that gain access to our infrastructure would yield ciphertext blobs + per-user metadata only. The Snowflake-style 'one credential compromise leaks 100M records' attack pattern doesn't apply because we don't have 100M records of cleartext to leak.

Mandiant analysis of UNC5537

Midnight Blizzard: Russian APT in Microsoft corporate Exchange

Microsoft · 2024-01
VENDOR-SIDE CLEARTEXT

Russian state-linked hackers got into Microsoft's own internal email — for weeks. They read messages from Microsoft's senior leadership and security teams. Microsoft eventually disclosed that the same attackers got into some of Microsoft's source code. The attack worked because Microsoft's own employees, like all Microsoft 365 customers, use Exchange Online where Microsoft holds the keys.

+ Show technical detail

Russian state-affiliated actor Midnight Blizzard (a.k.a. APT29, Cozy Bear) gained access to Microsoft corporate email accounts including senior leadership and security team. Microsoft later disclosed source-code repositories were also accessed.

WHAT WAS EXPOSED

Microsoft executive and security-team emails; Microsoft source code repositories. The attack persisted for weeks because Microsoft's tooling held cleartext access to its own employees' email.

KOAICH DELTA

Even our own engineers' Koaich vaults — if we use Koaich for our internal work, which we intend to — are encrypted under each user's device-held keys. An attacker breaching our infrastructure would walk away with ciphertext, not readable messages.

Microsoft Security Response Center disclosure

Okta customer-support system compromise

Okta · 2023-10
THIRD-PARTY AUTH COMPROMISE

Okta is the company most large businesses use to sign people in to all their other apps. Attackers got into Okta's customer-support system and stole files customers had shared with Okta's support staff. Those files contained login session info that let attackers try to break in to those customers' own systems.

+ Show technical detail

Attackers obtained HAR files (browser session recordings, including authentication tokens) uploaded by Okta customers to Okta's support portal during troubleshooting. Several downstream Okta customers — including 1Password and BeyondTrust — detected attempted account takeover attacks linked to leaked tokens.

WHAT WAS EXPOSED

Authentication tokens and session data for an estimated 134 Okta customers. Downstream impact at customers who used Okta SSO for their workspace tools.

KOAICH DELTA

Koaich uses WebAuthn passkeys, not SSO tokens that can be replayed. Passkey authentication is scoped to the origin — a stolen session from a third party's support portal can't be replayed against Koaich. Per-device keys also mean account takeover from one device doesn't compromise content from another.

Okta security advisory

Storm-0558: stolen Microsoft signing key access to government Exchange Online

Microsoft 365 · 2023-07
VENDOR-HELD KEYS

Hackers linked to the Chinese government stole a master key Microsoft uses to prove its own identity to its services. With that key, they could fake being any Microsoft customer — including U.S. federal agencies — and read their email. They had access for about a month before anyone noticed. The key existed because Microsoft holds it; if Microsoft hadn't held the key, the attackers wouldn't have had anything to steal.

+ Show technical detail

A China-linked threat actor obtained a Microsoft Account (MSA) consumer signing key and used it (combined with a token-validation flaw) to forge tokens for ~25 Microsoft 365 customer organizations, including US federal agencies. Attackers accessed cloud email inboxes for an estimated month before detection.

WHAT WAS EXPOSED

Exchange Online mailboxes for ~25 affected organizations. The vendor had decryption capability over customer mail by default; once an attacker gained the vendor's keys, customer content followed.

KOAICH DELTA

Microsoft holds the encryption keys for Exchange Online by default; customer-managed-key options (Customer Key on E5) only protect at rest. Koaich content is encrypted under user-held keys; a compromise of Koaich's signing keys would let an attacker impersonate users to themselves but not decrypt prior messages or documents.

CISA + Microsoft incident reports

Slack-employee token theft via GitHub access

Slack · 2022-12
THIRD-PARTY AUTH COMPROMISE

Attackers got login credentials for a few Slack employees and used them to read Slack's source code on GitHub. Slack disclosed that no customer messages were accessed — they keep source separate from production data. A bounded incident, included here as an example of what happens when a company keeps the right separations.

+ Show technical detail

Attackers obtained a small set of Slack employee tokens via compromised third-party services, then accessed Slack's externally-hosted GitHub repositories. No customer data or Slack production services were accessed per Slack's disclosure.

WHAT WAS EXPOSED

Slack source-code repositories. Notably bounded — Slack's separation of source from production data limited the impact.

KOAICH DELTA

A comparable incident at Koaich would expose source code (already open-source for the OSS components on github.com/koaichapp) and possibly internal docs. Source-code exposure doesn't decrypt customer content — the keys live on user devices, not in the source repo.

Slack security incident notice

LastPass vault backup exfiltration

LastPass · 2022-08
VENDOR-HELD KEYS

Attackers stole copies of every LastPass user's password vault. The passwords inside the vaults stayed encrypted, but the URLs of every site each user had a password for — plus their names and emails — were stored in plain text, and those leaked.

+ Show technical detail

Attackers stole encrypted password vaults plus unencrypted vault metadata (URLs, account holder emails). The vault contents themselves remained encrypted under each user's master password — the architectural property worked as designed.

WHAT WAS EXPOSED

Encrypted vault blobs for all customers, plus unencrypted URLs, names, email addresses, billing data, and IP addresses. The vault encryption used 100,100 PBKDF2 iterations (later contested as too few), so brute force against weak master passwords was feasible.

KOAICH DELTA

Like LastPass's vault content, Koaich's user content is encrypted under user-held keys. Unlike LastPass's metadata layer (URLs, emails, names in cleartext), Koaich's per-vault labels and contact data are also encrypted client-side, so a comparable backup exfiltration would yield ciphertext + minimal operational metadata only.

LastPass disclosure timeline

What the patterns have in common

Across all five patterns, the through-line is the same: the vendor was holding decryptable copies of customer data, and the attacker reached the decryptable copies. Where the cryptography bounded the exposure (LastPass vault contents, Slack source-code separation), the bound held. Where it didn't (LastPass vault metadata, Microsoft Exchange Online by default, Snowflake-tenant cleartext), the impact scaled with the volume of data the vendor was storing in cleartext.

Koaich is built so the cryptography bounds the exposure at every surface. Every Koaich row labeled with a name has that name as ciphertext server-side. Every message, document, and file is encrypted under user-held keys. A breach of our infrastructure would yield ciphertext + per-user metadata. The pattern that makes the incidents above expensive doesn't apply to a tool built this way.

For the deeper engineering version, see /security (architecture), /blast-radius (the original long-form essay), and /blast-radius/simulator (interactive: pick a tool + scenario, see the outcome).

Designed for the architectures these incidents revealed.

Get on the Koaich waitlist.

Pre-launch · No spam · Unsubscribe anytime