back to article 'Dropbox passwords' for sale are all EXPIRED: Bitcoin buyers beware

Yet another fraudster is struggling to relieve suckers of their Bitcoin after publicly posting what's purported to be a cache of no less than 7 meellion Dropbox login credentials. A guest poster on Pastebin posted three documents, all claiming to be a subset of "the massive hack of 7,000,000 accounts". The posts said there are …

  1. Mark 85 Silver badge

    Huh?

    The failed fleecing serves as a timely reminder to never pay money into Bitcoin wallets listed on Pastebin

    How about "there is no honor among thieves and would-be thieves"? On the other hand.... scamming the thieves and the scammers isn't a bad idea if they don't catch you.

  2. as2003

    > and uses AES-256 encryption to protect stored files

    Doesn't really make any difference if a) the attacker can walk in through the front door with the correct credentials, or b) three letter agencies can just stroll in through the back door with the decryption key

    Not that I want to discourage any steps towards security. But it feels more like they are waving around buzzwords in the hope of giving some false sense of security.

    1. Valeyard

      Doesn't really make any difference if a) the attacker can walk in through the front door with the correct credentials, or b) three letter agencies can just stroll in through the back door with the decryption key

      may as well not try then. oh what's the point, i dunno why i bother here just take it all, you will anyway etc

      /marvintheparanoidandroid

    2. KroSha
      Devil

      And that would be why the only non-trivial thing in my dropbox account is an encrypted disk image. IF anyone gets past the AES-256 on the front end, they then have to break the AES-256 on that before they get at my stuff.

      1. Dave_uk

        at last someone else with a brain.

  3. batfastad
    Joke

    7 million accounts?

    I find that very hard to believe.

    Unless it's 1000 users all signing up for multiple accounts to get more than the default ~2MB of space.

    Joke icon but seriously bro, 2GB for free accounts?

  4. Anonymous Coward
    Anonymous Coward

    time has come

    I think the time has come to all websites using passwords to explain what kind of measures are using to store the password safely, if a site don't disclose that, don't use it! it may be vulnerable! they have to be hashed and salted, and ask for a minimum of 10 characters.

    1. Pascal Monett Silver badge

      a minimum of 10 ?

      I'd be happy if many websites didn't make 10 the maximum possible.

      But yes, we need a Password Storage certification that tells us that a site has been controlled and certified for level A, B or C of protection, with A being the latest updated security technology, B would indicate somewhat average hashing and salting but with outdated encryption levels (like 56-bit today) and C being the equivalent of a text file with passwords stored in the clear.

      Of course, the certification must be done by a trusted authority, and the level must be evaluated and updated regularly. Websites could only post the relevant certification after authorization by the certification authority.

      That would help clear the waters somewhat, I think.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021