back to article 50c buys you someone else's password for Netflix, Spotify or ...

Criminals are selling 'lifetime' Netflix, HBO, and cable sports streaming accounts for less than US$10 on sites hidden within Tor. Premium sports accounts sell for about $10 while streaming TV can be bought for as low as 50 cents, far less than the $10 monthly subscription. Comic fans can buy a stolen Marvel Unlimited …

  1. Flocke Kroes Silver badge

    Almost worth it for an electronic component datasheet download account

    Guesses like 'username' / 'password' are likely to get you in faster that filling out the enormous form. The form certaily wastes more than 50¢ of time. The only downside is the amount of time required to make a darknet purchase compared to the fun finding the stupidest combination of selections if someone has not setup 'username' / 'password' already.

    1. Anonymous Coward Silver badge

      Re: Almost worth it for an electronic component datasheet download account

      bugmenot works a lot of the time. Easier to look it up there than trying lots of random ones which might work.

      1. Danny 14

        Re: Almost worth it for an electronic component datasheet download account

        I remember charging 50p at school for forging parents signatures on detention slips. I had a knack for it copying from homework diaries. Was a good little earner till someone squealed to it :( had to move to selling cigarettes then and that was a crowded market.

        1. Anonymous Coward
          Anonymous Coward

          Re: Almost worth it for an electronic component datasheet download account

          I sold homework. Worked well until one of my regulars decided that stealing it from my locker was better than paying me a few bucks. He got caught and turned rat. Fortunately, some of my other regulars took care of things and I was able to get back to business pretty quickly with no more hiccups.

  2. Anonymous Coward
    Anonymous Coward

    Privacy is dead

    Privacy is dead!

    ad infinitum....

    1. Anonymous Coward
      Anonymous Coward

      Re: Privacy is dead

      posted anonymously....

      1. Anonymous Coward
        Anonymous Coward

        Re: Privacy is dead

        Irony fail

  3. Your alien overlord - fear me

    Why is a rap singer buying me passwords?

  4. Anonymous Coward
    Anonymous Coward

    Fucking lucky our commentard accounts on el reg are secure then. Nothin' worse than sending passwords in plaintext.

    An SSL cert is $10, you cunts. I'll help you install the fucking thing if it's a problem. $10 won't buy you an A+ here:

    ...but vaguely showing interest is better than not bothering. The NSA and GCHQ and all the other fuckers have our passwords already; I know. But as a tech site specialising in moaning about surveillance, you should do SSL just to piss them off, if nothing else.

    1. Anonymous Coward
      Anonymous Coward

      Yes, I'm getting pissed off with those people posting with my handle.

    2. xj650t


      El Reg are waiting for a free cert from let's as they spent the certificate money down the pub last Friday, hick!

    3. VinceH

      Way I see it, people commenting on El Reg should be tech savvy enough not to be reusing log-in details from other sites, and realise that anything posted is public anyway. i.e. it would be better if an SSL certificate was in use, but it's no big deal.

      (Commentards hiding behind less open user ids than mine may have different feelings about it!)

      1. 2460 Something

        unique username/passwords

        Too right. Set up a password manager and just randomise details for every site you sign up for.

        I also use a unique email per site so if I start getting spam from on that address I just redirect to /dev/null.

        1. noj

          Re: unique username/passwords

          If you have a decent password manager you should also be able to change passwords more frequently. We tend to find out the true extent of a breach weeks or even months afterwards. By changing passwords to more important sites on a regular basis (like your banks and credit cards) you stand a better chance of locking out nefarious folk sooner when a breach occurs.

      2. Robert Helpmann??

        "Commentards hiding behind less open user ids than mine may have different feelings about it!"

        Not sure how I feel on the subject given that I am essentially guilty of identity theft because

    4. Marco Fontani

      Eeh... There are steps to be taken to ensure we can use TLS across the sites, and unfortunately things are a tiny wee bit more complex than installing a cert and calling it a day. If you seriously believe that's all it takes, don't take it wrong if I don't take you up on the offer to help out, but instead ask you to get as far away as you possibly can from being able to "help" ;)

      For context,

      Installing a cert and making the site available over TLS sounds like 99% of the work, but in reality it's - for me - a _literal_ press of a button. It's piss easy; it's straightforward: we already use TLS for private stuff which _requires_ us to have secure authentication. We strive to get an A on ssllabs, but that might mean that older browsers/OSes would be unable to connect, and we can't (yet) have that for our main site, can we?

      It's easy to notice that (most of) the images on the site are served (thanks to cloudflare) over TLS - mainly to ensure that recent browsers can download them in parallel, and partly to assess the impact of enabling TLS for at least part of the audience.

      The difficult/lengthy part in all of this endeavour (enabling TLS on the main sites) is ensuring the rest of our infrastructure can properly work under TLS, that users can use TLS across the sites (account, forums, whitepapers, …) and that the business doesn't collapse overnight due to people switching to TLS only (think, ads), etc. etc. This is the actual 99% of the work, which we've been making strides towards for a while. It'll all eventually converge, and we'll go live with "it" when it's possible, when it makes sense to, and crucially when we've tested the shit out of it.

      So, Soon®

      1. Anonymous Coward
        Anonymous Coward

        OK, you make some good points. And I may or may not have been spectacularly trashed when I stomped my monster feet slippers (yes, really) and made my petulant demands. It's still a bit surprising that a mighty tech organ like El Reg doesn't have TLS on the login form(s) though. Just for *ahem* form's sake.

        TBH, I wasn't really considering the going site(s)-wide aspect because the point at which it's safe for you to do that and still ship adverts is the point at which it isn't really worth bothering with unless you're living in an exceptionally harsh regime.

        1. Marco Fontani

          > It's [...] a bit surprising that [...] doesn't have TLS on the login form(s) though

          And the point of having TLS on the login form only is… to protect your password? Don't reuse passwords across sites, and if that password gets taken by a drive-by on the unsecured wi-fi while you sip your latte, nothing of value is lost.

          Create a password with "pwgen 32 1"; copy, paste, login, forget, "reset password" if you ever need to get in again.

          Use lastpass or similar if you need to have stronger "security"; use "pass" if you like the command line and are a gpg nut like myself.

          Having TLS _only on the login form_ is pretty damn useless because of the above, and what a website should have is have TLS _everywhere_. If it's only on the login form, then an "attacker" sitting behind you while you sip your latte would not be able to sniff your password, but will be able to sniff the authentication cookie - so they'd still be able to post stuff as you, or change your details on account, etc.

          So, we either do it _everywhere_ and _properly_ (see things like "https everywhere" and HSTS) or it's IMHO pretty damn useless, security wise - and not really doing it at all.

          Should we just enable TLS on the login form to "tick a box", or should we do it everywhere, and do it right? In general, we try to get things right even if it takes a little while longer - whenever possible.

          Kinda like a variation of "fast, good, cheap - pick two". Wherever possible, we pick "right", and "even if it takes longer".

          Luckily most ads-serving businesses are able to work and provide ads over TLS, so that's a good chunk of work and worry I'm glad we don't have to think about too much. It took time for the industry to get to that point though.

          So… it's a matter for us to sit at our mac, sip our favourite @drinks and get on with it. Unfortunately it's not the only task on our plate, and - as I hope to have explained - it's not the most time-sensitive or important one to be done next.

          You could be asking a similar question about enabling IPv6 access - also able to be enabled at the touch of a button. You'd get a similar answer: we need to ensure _all_ our sites, processes, programs, what-have-you can handle it. That'll also arrive Soon® :)

          1. Anonymous Coward
            Anonymous Coward

            A gracious and detailed reply to my somewhat arseoleish initial post.

            Even after all you've said, though, it still feels just plain wrong to be handing plaintext passwords over an unsecured connection. And you've got a multiplication factor there of being a news outlet that regularly berates others for plaintext passwords (usually on databases fair enough).

            Agreed it doesn't really matter in the grand order of things and I would expect that there aren't too many commentards who are recycling passwords which would be the truly dangerous aspect.

            I'll just wait for Soon® to show up then...

    5. Mr Anonymous

      "Fucking lucky our commentard accounts on el reg are secure then. Nothin' worse than sending passwords in plaintext. An SSL cert is $10, you cunts. I'll help you install the fucking thing if it's a problem"

      The Reg is on Cloudflare, SSL is included free, there's something else going on here.

      $ nslookup

      Server: a.b.c.d

      Address: a.b.c.d#53

      Non-authoritative answer: canonical name =



      $ whois


      # ARIN WHOIS data and services are subject to the Terms of Use

      # available at:


      # If you see inaccuracies in the results, please report at




      # The following results may also be obtained via:



      NetRange: -



      NetHandle: NET-104-16-0-0-1

      Parent: NET104 (NET-104-0-0-0-0)

      NetType: Direct Assignment

      OriginAS: AS13335

      Organization: CloudFlare, Inc. (CLOUD14)

      RegDate: 2014-03-28

      Updated: 2015-10-01



  5. Peter 26
    Thumb Down

    Not worth 50c

    Do you trust the sellers to only sell an account to one person? Sell it to multiple people and then it will become like bugmenot and whack a mole to find an account that actually works from your list.

  6. Deft

    Am I being thick?

    Things like Spotify or Netflix have viewing histories or syncing of playlists / collections. Wouldn't it be kind of obvious an uninvited freeloader is sharing the account?

    1. Anonymous Bullard

      Re: Am I being thick?

      Ever wondered why you're getting such ridiculous recommendations?

  7. Anonymous Coward
    Anonymous Coward

    how much for PluralSight? I'm only asking because their prices are bloody outrageous.

    1. CAdan


      Might be worth checking out the Visual Studio Dev Essentials program ;)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like