How brtech built a database that leaks nothing, even if fully breached
Brazilian tech platform brtech spent six days refactoring its authentication architecture to achieve genuine user anonymity, ensuring that even a full database breach would expose no real emails, IPs, or identity tokens. The system uses HMAC-SHA256 hashing to store only an irreversible email hash, while replacing real names, emails, and profile images with randomly generated placeholders before any data reaches the database. Early versions of the approach still allowed raw emails to pass through authentication hooks momentarily, prompting further rewrites to eliminate that exposure window entirely. OAuth tokens and session metadata such as IP addresses and user agents, which Better Auth persisted automatically, were identified as remaining privacy gaps and addressed in a subsequent 'privacy lockdown' commit. The architecture is designed on the principle that if data cannot be stored, it cannot be leaked — shifting the trust model away from policy promises toward technical guarantees.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in