In the absence of a state-sponsored cyberattack, there are other ways to glean someone’s fingerprint. Researchers at Tokyo’s National Institute of Informatics were able to reconstruct a fingerprint based off of a photo of a person flashing a peace sign taken from nine feet away. “Once you share them on social media, then they’re gone,” Isao Echizen told the Financial Times.

Face-shape data is susceptible to hacking, too. A study at Georgetown University found that images of a full 50 percent of Americans are in at least one police facial-recognition database, whether it’s their drivers’ license photo or a mugshot. But a hacker wouldn’t necessarily need to break into one of those databases to harvest pictures of faces—photos can be downloaded from Facebook or Google Images, or even captured on the street.

And that data can be weaponized, just like a fingerprint: Last year, researchers from the University of North Carolina built a 3D model of a person’s head using his Facebook photos, creating a moving, lifelike animation that was convincing enough to trick four of five facial-recognition tools they tested.

The fundamental trouble with biometrics is that they can’t be reset. If the pattern of one of your fingerprints is compromised, that’s fine; you have a few backups. But if they’re all gone—some law-enforcement databases contain images of all ten fingers—getting them replaced isn’t an option. The same goes for eyes, which are used for iris or retina scans, and your face. Unlike a compromised password, these things can’t be changed without unpleasant surgery or mutilation.

“If Border Patrol and your bank and your phone all are collecting your fingerprint data, all it takes is one actor who figures out how to manipulate that and you’ve basically wiped out the usefulness of that information,” said Betsy Cooper, the director of the Center for Long-Term Cybersecurity at the University of California, Berkeley.

What’s more, fingerprints and face shape, the two most widely used forms of biometric identification, stay quite stable over time. A study of automatic face-recognition systems from Michigan State’s Biometrics Research Group examined nearly 150,000 mugshots from 18,000 criminals, with at least 5 years between the first and last photo. The researchers found that one off-the-shelf software package was still 98 percent accurate when matching a subject’s photo to one taken 10 years prior. There’s even a field of research that studies how facial software can recognize the same face before and after plastic surgery.

The same Michigan State lab found that fingerprint patterns stay consistent over time, too. This time, the study examined a database of fingerprints from more than 15,000 people who were arrested by Michigan State Police over the span of five years. The results showed that for practical purposes, a 12-year-old fingerprint could be matched with an original, with nearly 100 percent accuracy. In another experiment, the group found that children’s fingerprints begin to stabilize at about one year of age, and remain of sufficient quality to identify them for at least a year.