Across industries, hashing has become the default mechanism for “privacy-safe” data collaboration. From advertising to financial services, organisations routinely share and compare hashed identifiers, such as phone numbers or email addresses, under the assumption that hashing renders personal data effectively anonymous.

That assumption is increasingly being challenged.

Recent demonstrations by privacy infrastructure company, Silence Laboratories, show that hashed identifiers drawn from predictable data spaces can often be reversed in seconds using only computation and publicly available information, without breaches, insider access, or decryption keys.

The implication is clear: hashing, when applied to personal identifiers, does not provide the level of privacy protection many organisations believe it does.

Hashing has become the default, but on shaky foundations

Hashed identifiers are widely used for customer matching, audience measurement, fraud detection, and analytics. Advertising platforms, including Google Ads, support workflows that rely on hashing customer data before sharing. Financial services providers, such as Stripe, similarly hash emails or other identifiers for various use cases.

The logic appears sound: cryptographic hash functions are “one-way,” meaning the original input cannot easily be derived from the output. If the data looks unreadable, it must be safe.

In practice, that logic breaks down.

Why hashing fails as a privacy measure

Hashing is only difficult to reverse when the input data is random and high-entropy. Personal identifiers are neither.

Phone numbers, email addresses, and payment identifiers all come from small, predictable spaces. Phone numbers are finite. Email addresses follow well-known patterns and can often be sourced from other datasets. In these cases, attackers do not need to “break” hashing; they simply regenerate hashes at scale and match them back to real identities.

This approach remains effective even when hashes are salted. Salting may prevent pre-computed rainbow tables, but it does not stop attackers from generating hashes on the fly once the salt is known. With modern hardware, billions of candidate identifiers can be processed in minutes.

Crucially, personal identifiers differ from passwords in two important ways:

1. They are low-entropy: hashing billions of phone numbers or emails is computationally trivial.
2. They are immutable: unlike passwords, identifiers cannot be reset once compromised.

Once hashed identifiers are shared externally, the ability to control or audit their use is effectively lost.

A growing regulatory gap

Privacy regulations are explicit about what matters: re-identification risk, not cosmetic masking.

Under frameworks such as the General Data Protection Regulation (GDPR), hashed personal data is considered pseudonymised, not anonymised. That distinction carries real legal consequences. If data can be re-identified, it remains personal data, and liability remains with it.

Regulators have repeatedly warned organisations against relying on hashing as a privacy shield. The Federal Trade Commission has stated on record that hashing does not anonymise data, and has pursued enforcement actions against companies that shared hashed identifiers despite knowing they could be re-identified.

Cases involving Nomi, BetterHelp, Premom, InMarket, and others underscore a consistent message: hashing does not absolve organisations of responsibility.

The industry blind spot

Many organisations believe that sharing hashed identifiers limits exposure to “overlap analysis” or narrowly scoped use cases.

In reality, once hashed data leaves an organisation’s control, it can be reused, recombined, and reverse-engineered without detection. Hashing provides no meaningful auditability, no enforceable usage constraints, and no way to prevent secondary misuse.

As a result, what is often framed as a privacy-preserving technique can quietly enable large-scale re-identification.

Seeing the risk firsthand

The broader ecosystem reflects this reality. Data enrichment and identity resolution vendors openly market services that reverse-hashed email and phone identifiers, reinforcing how fragile these protections are in practice.

Beyond heuristic privacy
Privacy in the modern data economy is no longer about making data look unreadable. It is about ensuring misuse is mathematically impossible, even when data is shared or systems are compromised.

As regulators sharpen their focus and enforcement actions increase, organisations will need to move beyond legacy assumptions about hashing and towards privacy architectures that are designed for provable non-reidentification.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!