Most “privacy-first” products still know your real identity
Most “privacy-first” products still know your real identity. Email reset, IP logs, phone checks - that is a dossier.
In the first half of 2025, the Identity Theft Resource Center - Nonprofit tracked 1,732 U.S. data compromises affecting 165,745,452 people. Verizon reviewed 22,052 incidents and counted 12,195 confirmed breaches.
When Ticketmaster says an attacker touched a cloud database run by a third party, that is the modern leak pattern.
When Change Healthcare went down, pharmacies and providers got pushed into manual work and delayed payments.
So “we care about privacy” is a marketing line unless your architecture makes identity optional. If your reset flow starts with email or SMS, you have built a lookup table on day one, even if you host on Amazon Web Services (AWS), front it with Cloudflare, send codes via Twilio, run login through Okta, and take payments with Stripe.
This makes me wonder whether our privacy story survives the next breach notification.