VaporVault and the 16 Billion Password Problem

I'm going to be honest — I wasn't planning to talk about VaporVault this week. But then the 16 billion credential story dropped, and a few people reached out asking if I'd seen it. And I kept thinking about this little device sitting on my desk that I built about six months ago, mostly out of frustration, mostly at 3am. And I figured — yeah, this is probably worth bringing back up.

Not because VaporVault solves the breach. It doesn't. Nothing does. But it does solve the specific problem that made the breach as bad as it is.

The Real Problem With the 16 Billion Dump

If you haven't read my post on the breach yet, the short version is this: 16 billion credentials got exposed across 30 databases. The alarming part isn't the number — it's where the data came from.

A significant chunk of it didn't come from hacked company servers. It came from infostealer malware — software that silently lifts your saved browser passwords, session cookies, autofill data, and authentication tokens off your actual device. The cloud didn't get hacked. Your machine did. Which means the attack surface isn't the service you're using. The attack surface is everywhere your credentials live — and for most people, that's a browser that syncs to the cloud, a password manager connected to the internet, and a handful of text files they pretend don't exist.

What VaporVault Actually Is

VaporVault is a small ESP32-based device I built that stores sensitive text — passwords, keys, seed phrases, private notes — completely offline.

When you power it on, it creates its own isolated Wi-Fi network. You connect to it like you'd connect to any network, open a browser, authenticate, and access your notes. When you're done, you disconnect and power it off. At that point, from any attacker's perspective, that data doesn't exist. There's no cloud to breach. No sync service to intercept. No browser vault to drain. No API endpoint to probe. It's not a replacement for your password manager for everyday logins. That's not what it's for. It's for the stuff you don't want anywhere near a network — seed phrases, recovery codes, private keys, the credentials that, if lost, are actually catastrophic.

I've been calling it the threat surface reduction play, which sounds fancy, but really it just means: the data can't be stolen from a place it was never stored.

The Build-in-Public Reality

I've written a few posts about VaporVault over the past several months — the late-night firmware sessions, the Node mode experiment, the 3am "I think this is actually done" moment. If you've been following along, you know this project came out of genuine frustration, not a product roadmap.

VaporVault 3.0 is legitimately finished. Unified firmware. Hardware auto-detect. Mode switching between private vault and shared Node mode. Four independent folders. Per-folder themes. Hardware-triggered data destruction. Zero cloud, full local. The UX is smooth in a way that surprised even me. I have a few units built. I have a site — vaporvaultsafe.com. I have firmware that runs on two hardware variants.

What I don't have is the bandwidth to take this to market myself.

Why I'm Putting This Out There

Here's the honest version: I'm looking for the right person or the right partner for this. Whether that's an investor who wants to back a hardware run and take it to retail, a security company that wants the IP and firmware stack, or someone who just sees what I see in this thing and wants to run with it — I'm open to the conversation.

The timing isn't lost on me. A 16 billion credential leak is not a great week for password security. It is, however, a pretty good week to be holding a device that was built specifically to not be part of that problem.

I'm not out here trying to ride a news cycle. I built this thing months ago because I needed it. The news cycle is just finally caught up to the threat model I was already thinking about.

If you're in the security space, if you move hardware, if you're an investor looking at the physical security market, or if you're just someone who's been following this project — reach out. Let's talk.

The seed ask is $250K–$300K for a proper production run and launch. The IP is clean. The firmware is done. The concept is validated by, oh, about 16 billion data points.

VaporVault — vaporvaultsafe.com