Meta Warns: Quantum Threat Is Here – 'Store Now, Decrypt Later' Attacks Already Underway

Technology giant Meta issued an urgent call to action today, sharing its internal framework for migrating to post-quantum cryptography (PQC) and warning that attackers are already harvesting encrypted data to crack later. The company stressed that organizations must begin transitioning immediately to protect against future quantum computers that will break current public-key encryption.

“We cannot afford to wait until quantum computers arrive,” said Meta’s lead cryptographer in a statement. “Sophisticated adversaries are already executing ‘store now, decrypt later’ attacks, collecting sensitive data today for decryption tomorrow. The migration must start now.”

Meta’s PQC Migration Framework

The framework, detailed in a new internal report released to the public, introduces the concept of PQC Migration Levels to help organizations prioritize and manage complexity across different use cases. It covers everything from risk assessment and cryptographic inventory to deployment and security guardrails.

“Our goal is to provide practical, actionable guidance that accelerates the entire industry’s shift toward a post-quantum future,” the cryptographer added. “This transition must be effective, efficient, and economic – especially for systems that handle billions of users daily.”

Background: The Quantum Time Bomb

Research shows that quantum computers will eventually break conventional public-key cryptography, posing a systemic risk to digital infrastructure. Experts estimate this could happen within 10–15 years, but the threat is already active via SNDL attacks where encrypted data is stolen now for later decryption.

Leading standards bodies including the US National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre (NCSC) have published migration guidance, setting target dates as early as 2030 for critical systems. NIST recently finalized its first PQC standards – ML-KEM (Kyber) and ML-DSA (Dilithium) – with a third algorithm, HQC, expected soon. Notably, Meta cryptographers are co-authors of HQC, reflecting the company’s deep involvement in advancing global cryptographic security.

Meta’s Proactive Stance

With billions of users relying on its platforms, Meta has already begun deploying post-quantum encryption across its internal infrastructure over a multi-year process. The company says its migration is designed to uphold security and privacy commitments both now and in the future.

What This Means for the Industry

For organizations that have not yet started, Meta’s blueprint offers a clear starting point. The background explains the urgency, while the framework itself provides a step-by-step methodology. Key takeaways include:

• Start inventory now: Catalog all uses of public-key cryptography across your systems.
• Assess risk: Prioritize systems that protect long-term secrets (e.g., identity data, intellectual property).
• Adopt hybrid approaches: Combine traditional and post-quantum algorithms during the transition period.
• Prepare for larger key sizes: PQC algorithms are computationally heavier; plan for performance impact.

“The industry-wide transition will be complex and lengthy,” the cryptographer emphasized. “But the cost of delay far exceeds the investment required to start now.”

Call to Action

Meta’s report includes detailed lessons learned from its own migration, including how to manage operational complexity and maintain backward compatibility. The company urges organizations to treat PQC migration as a business-critical initiative, not just a technical upgrade.

“We have a limited window to secure our digital future,” the statement concluded. “Meta is sharing everything we’ve learned to help others move faster. There is no time to waste.”