The Encryption Works.
It’s Everything Else that Doesn’t.
This paper does not propose a new cryptographic algorithm and doesn’t challenge the mathematical soundness of modern encryption. On the contrary, the historical records demonstrate that cryptographic primitives have largely held up under decades of scrutiny.
Instead, we examine a different and often overlooked dimension of security failure: the systems that deploy, authenticate, migrate, and operate cryptography over time.
As the global technology stack prepares for a post-quantum transition, attention has largely focused on algorithm replacement.
Far less attention has been paid to the operational reality of that transition—multi-decade coexistence, partial upgrades, credential inheritance, and the amplification of authentication risk during migration.
By reviewing real-world security incidents from the past decade, we argue that encryption rarely fails in isolation. Breaches emerge at the boundaries: credential management, identity propagation, system trust, and execution context.
The purpose of this paper is therefore not to announce a solution, but to open a discussion: if encryption continues to work, yet systems continue to fail, where should we direct post-quantum security efforts?
25 years of “crypto breaches.” Zero algorithm breaks.
The threat evolved from coding bugs to credential theft. But one thing never changed: the math held.
The Complete Picture: 2014-2025
| Year | Incident | Damage | What Failed | Algorithm Broken? |
|---|---|---|---|---|
| 2014 | Heartbleed | 500K servers | Missing bounds check (7 lines of C) | NO |
| 2914 | POODLE | Millions of sessions | SSL 3.0 protocol from 1996 | NO |
| 2016 | DROWN | 33% of HTTPS servers | SSLv2 protocol from 1995 | NO |
| 2017 | Equifax | 147M records | Unpatched Apache Struts + default “admin” password | NO |
| 2018 | Marriott | 500M guests | Stolen credentials, undetected 4 years | NO |
| 2010 | SolarWinds | 18,000 orgs including US govt | Supply chain—compromised build system | NO |
| 2021 | Colonial Pipeline | $4.4M ransom, fuel shortage | VPN password from dark web. No MFA. | NO |
| 2021 | T-Mobile | 40M records | Security vulnerability in systems | NO |
| 2013 | MOVEit | 60M+ records | Zero-day in file transfer tool | NO |
| 2013 | 23andMe | 6.9M accounts | Credential stuffing—reused passwords | NO |
| 2024 | Snowflake/AT&T | 165 companies, billions of records | Stolen credentials (from 2020). No MFA. | NO |
| 2024 | Change Healthcare | 100M records, $22M ransom | Stolen Citrix login. No MFA. | NO |
| 2024 | National Public Data | 2.9B records | Poor access controls | NO |
| 2025 | ByBit | $1.5B stolen | Compromised third-party wallet keys | NO |
| 2025 | PowerSchool | 62M students | Contractor’s stolen login | NO |
AES-256 real-world breaks: zero.
SHA-256 collisions: zero.
Two Eras, Same Root Cause
2010s: Implementation Failures
2020s: Authentication Failures
The attack surface shifted from code bugs to key management disasters.
The Numbers
| Metric | Value |
|---|---|
| Credentials leaked (2025) | 16 billion |
| Secrets in GitHub repos | 13 million |
| Cost of stolen credentials | $10 |
| Breaches from weak/stolen credentials | 81% |
| Years AES-256 unbroken | 24 |
Authentication Is the Weak Link
Every major breach traces back to one failure: authentication.
We perfected encryption. But we neglected everything that protects the keys.
“More MFA” Is Not a Sufficient Answer
Multi-factor authentication has become the standard response to large-scale hacks, and for good reason: it increases the cost of account abuse and reduces the number of random attacks. However, MFA does not change the structure of authentication itself — it still depends on the protection, distribution, and correct use of secret data.
Passwords, private keys, recovery codes, hardware tokens, and enrolment states still need to be generated, stored, transferred, changed, revoked, and synchronised between systems and over time. Each step carries operational risk, especially in environments where systems evolve asynchronously.
As organisations prepare for post-quantum migration, these risks increase rather than decrease. Algorithms can be replaced within months, but authentication infrastructure persists for decades. During this transition period, systems must authenticate across mixed trust models, legacy components, third-party dependencies, and partially updated environments.
In this context, MFA improves security locally but does not solve the systemic problem: authentication mechanisms are still based on secrets, sensitive to migration, and vulnerable from an operational perspective.
We built an unbreakable vault—then left 16 billion copies of the key on the internet.
The authors are exploring system-level approaches that treat authentication as a physics-bound execution property rather than a key-management problem.