Computer Science Cybersecurity Data Security

Embeddings Were Never a One-Way Street

A 2023 attack recovers 92% of texts—and patients' full names—straight from their supposedly anonymized vectors

S.J. Nam 7 min read
Embeddings Were Never a One-Way Street

The Vial on the Nightstand

In October 2023, a team led by the researcher John X. Morris built a tool that could take nothing but a string of numbers — the kind of vector a machine learning model spits out when it "reads" a sentence — and hand back the sentence itself, word for word. Not a paraphrase. Not a guess at the topic. The actual text. Their method, a multi-step search-and-correct algorithm called Vec2Text,
recovers 92% of 32-token text inputs exactly
from their embeddings alone, and the authors went further, showing they
could recover important personal information, including full names, from a dataset of clinical notes
. That detail — full patient names, lifted back out of numbers that were supposed to be an anonymized statistical shadow of the record — is the part that most breezy explainers of embeddings skip past. And it's the part that should reframe how we talk about the whole technology.

Everyone who writes about embeddings reaches for the fingerprint comparison eventually, and for good reason: a fingerprint is a compressed signature. Ten ridges of skin reduce a whole human body down to a repeatable pattern, just as an embedding model reduces a paragraph, an image, or a customer's shopping history down to a list of a few hundred floating-point numbers. But writers usually stop at the flattering half of the metaphor — uniqueness, compactness, elegance — and skip the half that actually matters to anyone whose data ends up in a vector database. A real fingerprint isn't just a unique label. It's a physical trace that can be lifted off a glass and matched back to a face. The Morris paper's title says the quiet part out loud: embeddings reveal almost as much as the text itself. That's not a fingerprint as souvenir. That's a fingerprint as evidence.

What Everybody Assumed Was One-Way

The comfortable assumption baked into a decade of engineering practice was that turning text or images into embedding vectors was a one-way street — lossy compression that threw away the specific words and kept only the "meaning," the way a hash function scrambles a password past recovery. Companies built entire privacy arguments on that assumption: store the embedding, not the raw record, and you've supposedly stripped out the sensitive part while keeping the useful part for search and recommendation. Vector databases exist precisely because embeddings are treated as safe-to-share proxies for the data that produced them.

The inversion literature spent the years leading up to Vec2Text quietly dismantling that assumption piece by piece. Earlier work by Congzheng Song and Ananth Raghunathan had already shown embeddings could be coaxed into giving up bag-of-words information, and subsequent studies went further, with researchers demonstrating that
sensitive data can be extracted from text embeddings
, including a technique called the Canary Extraction Attack that
extracts specific 'canary' tokens through prefix-driven text completion that iteratively predicts sensitive continuations of seeded phrases
. Morris and his co-authors' contribution was to close the loop entirely: rather than fishing for fragments, their method treats inversion as controlled generation, repeatedly re-embedding candidate sentences and nudging them toward the target point in vector space until the reconstruction and the original become indistinguishable to the model that made them. It's less like guessing a password and more like a sketch artist redrawing a face from a single, blurry photograph — except the sketch artist gets to keep checking the redraw against the original photo, over and over, until the two are identical.

The Fine Print Nobody Read

The most counterintuitive finding buried in this line of research isn't that inversion works — it's how little seems to protect against it once an adversary has access to the embedding model itself. A 2025 reproducibility study of the original paper stress-tested the obvious defenses and found the trade-offs uncomfortable. Adding noise to embeddings degrades their invertibility, but so does something simpler: quantization, which the researchers found is
a lightweight, hyperparameter-free method that can be rapidly deployed
and that reduces how well an attacker can reconstruct the original text, as measured by translation-quality scores, while retrieval performance — the entire point of building embeddings in the first place —
remains stable
. But the same study is careful to note that
quantization does not remove all sensitive information from embeddings
. In other words, you can dial down the fingerprint's resolution, but you cannot currently wipe it clean without also ruining the thing that made it useful. That's a genuinely strange property for a piece of "compressed" data to have: the compression and the leak are the same mechanism, so fixing one tends to break the other.

This is where the fingerprint metaphor stops being decorative and starts being diagnostic. A crime lab doesn't treat a lifted print as harmless just because it's been reduced to a set of ridge-pattern minutiae rather than a photograph of a hand — the whole reason fingerprint databases exist is that the reduced representation is still recoverable to an identity. Embedding vectors, it turns out, sit in exactly that position: reduced, but not de-identified. The word2vec breakthrough that launched this field in 2013, with its famous demonstration that vector arithmetic on "king," "man," and "woman" lands near "queen," was celebrated because embeddings preserved relationships between concepts with startling fidelity. Nobody at the time was framing that fidelity as a liability. But fidelity is fidelity — a representation precise enough to capture that "king minus man plus woman" points at "queen" is also, it turns out, precise enough to be walked back toward the sentence it came from.

Why the Reversibility Is the Feature, Not a Bug to Patch Out

Here's the genuine counterpoint, and it's worth taking seriously rather than dismissing: embeddings are reversible partly because we want them to be extraordinarily expressive. A representation that threw away enough information to be truly un-invertible would likely also be too degraded for the semantic search, recommendation, and retrieval tasks embeddings were built for. The 2025 reproducibility study essentially confirms this tension mathematically — protect against inversion, and you measurably trade away retrieval quality (their nDCG@10 metric) in the process, unless you're careful about how you apply the defense. So this isn't a case of sloppy engineering waiting for a patch. It's a structural trade-off between two things people want simultaneously: embeddings expressive enough to be useful, and embeddings opaque enough to be safe. Right now, the field has consistently found itself able to get one or the other, and only partial success at getting both at once.

That trade-off deserves to reshape a policy conversation, not just a research agenda. Firms building on embedding models routinely tell users and regulators, implicitly or explicitly, that storing "just the vectors" instead of raw text is a privacy safeguard. The clinical-notes result should make that claim uncomfortable to repeat without qualification — not because embeddings are useless, but because the industry has been treating a fingerprint as if it were a fingerprint's shadow.

An Open Case File

Fingerprints didn't stop being useful once forensic science figured out how to lift and match them; they became more consequential, because everyone had to reckon with what a trace left behind actually meant. Embeddings are at that same hinge point now. The vector sitting in a database isn't the sanitized residue of a sentence — it is, with the right tool and enough compute, most of the sentence, still warm. The question worth sitting with isn't whether embeddings are private. It's who else currently has the equivalent of a Vec2Text sitting on their servers, quietly matching prints nobody realized they'd left.

References