> The number of passwords and the severity of the hack was not uncovered until today. The passwords were stored using unsalted MD5 hashing

I'm 100% sure it was known it was MD5 before, and I'm 100% sure I've seen pastebins with lots of successfully bruteforced hashes, because my password was among them.

Example: https://blog.lastpass.com/2012/06/in-case-you-missed-it-chan...

How come the salts aren't available? Did the attacker choose not to release them, or were they stored elsewhere?

Or were they really bad salts? Like a hash of the username?

That wouldn't really be a proper salt, although technically it would fulfil the purpose of a salt, which is to prevent lookup tables being used.

Oh I agree, but I've seen too many "clever" systems which derive the salt from something like the username or another field or fields in the DB.

Just because there is no obvious salt now doesn't mean it's not there. Only Dropbox knows how it worked at this point.

We will have to wait for a code leak ;-)

Uh oh. You might be on to something. Salts are pretty much always stored right next to the hash, right? If the hack doesn't contain them, maybe they were doing something "clever" like that.

Well, let's reply to the obvious troll.

Troy Hunt is a person, not a team, and I guess he links to HIBP because he's proud of his work. I know I would.

You forgot to add that it is also an incredibly valuable service for times like these that is totally free.

At this point I'd say signing up for notifications with it is just a solid security practice.

It's funny that I got my free certs from WoSign because I didn't want to give my data to the Mossad, and now it turns out they are related. :/

They are not fined, they are being told to pay what they owe.

Imagine your country offers a tax refund for installing solar panels. Because of this, you decide to buy and install solar panels. Lateron, it is decided that your country shouldn't have offered this refund for this or that reason.

Would you feel that it is fair that you have to pay up, instead of the institution that wrongfully offered you tax refunds?

That's a bad argument because:

1) Apple would have sold their stuff in Europe whether they had to pay full taxes or not, they only wanted a discount. I would probably not pay for the solar panels because I can't afford them.

2) Solar panels are very expensive and would make a huge dent in my balance. That's not the case for Apple.

0% tax on profits would be fair for whom? Definitely not the citizen.

It would be fine if you moved the tax to dividends and capital gains.

How much is that at a macro level? Is it relevant at all?

According to this document [1] the revenue form "Taxes on personal income, profits and gains" in 2014 was €15B.

[1] http://www.oecd.org/ctp/consumption/revenue-statistics-and-c...