IntermediateData Protection

Encrypt sensitive metadata, not just content — URLs and filenames reveal as much as files

LastPass stored encrypted vault content but kept the URLs of websites in each entry as unencrypted metadata. When their vault database was stolen, attackers immediately had a map of every service each user had an account with — extremely valuable for targeted attacks. Encrypt all metadata associated with sensitive data: not just file contents but filenames, access timestamps, record labels, and category information. In database design, consider whether column names themselves reveal information about the data they contain. End-to-end encrypted systems that leak metadata provide much weaker guarantees than their encryption implies.

Tags

metadata encryptionLastPassprivacyE2E encryptiondata minimisation

More in Data Protection

All guides
beginnerfeatured

Never store passwords with MD5, SHA-1, or SHA-256 — use bcrypt, scrypt, or Argon2

Password hashing is not encryption — it is a one-way function designed to be slow. MD5 and SHA-1 are fast hash functions designed for checksums, not security. A modern GPU can crack billions of MD5 hashes per second. The RockYou breach exposed 32 million passwords in plaintext; the LinkedIn breach exposed 117 million SHA-1 hashes that were cracked within days. Use bcrypt (minimum cost factor 12), scrypt, or Argon2id — purpose-built password hashing functions with tunable slowness. Bcrypt's use in the Slack breach meant their stolen hashes provided negligible value to the attackers despite the database being fully compromised.

See: RockYou BreachData Protection
beginner

Implement Subresource Integrity for all externally hosted JavaScript

Subresource Integrity (SRI) is an HTML attribute that locks a script tag to a specific cryptographic hash of the file — if the CDN serves a modified version, the browser refuses to execute it. The polyfill.io CDN hijack in 2024 served malicious JavaScript to 100,000 websites because none of them had SRI hashes on their polyfill script tags. A single attribute (<script src="..." integrity="sha384-..."> ) would have protected every affected website. Apply SRI hashes to every externally-loaded JavaScript and CSS file. Self-host critical JavaScript dependencies where possible.

See: Polyfill.io CDN HijackData Protection
beginner

Classify data before storing it — you cannot protect what you have not categorised

The Equifax breach was catastrophic partly because Equifax had accumulated sensitive data on hundreds of millions of people who never chose to interact with them — Social Security numbers, birth dates, and financial histories — without a clear retention policy. Data classification assigns sensitivity levels (public, internal, confidential, restricted) and triggers corresponding controls: encryption requirements, access logging, retention limits, and disposal procedures. Before storing any data, ask: what is it, how sensitive is it, who needs it, and when can we delete it? Only store what you genuinely need, encrypted appropriately for its classification.

See: Equifax BreachData Protection