We demonstrate experimentally that the traditional double random phase encoding (DPRE) technique is vulnerable to the cyphertext-only attack (COA). With the statistical ergodic property of the speckle, we show that the plaintext image can be recovered from the cyphertext alone owing to the fact that their energy spectral density functions are identical. Our result reveals the most serious security issue with the DRPE as it suggests that even the one-time-pad does not guarantee its security. This will open up new inside understanding of current optical security techniques.