This article was published on June 5, 2011

Pastebin: How a popular code-sharing site became the ultimate hacker hangout


Pastebin: How a popular code-sharing site became the ultimate hacker hangout

In recent months, technology news has been dominated by reports of numerous hacking attempts, subsequent break-ins and embarrassment of companies that have seen customer information stolen and their reputations tarnished.

Gawker found itself subjected to a spate of attacks by online collective Gnosis – a group that posted over a million user logins to file-sharing websites – more recently Sony found its network of corporate websites and services compromised again and again, even the FBI wasn’t spared from an unauthorised intrusion.

The groups behind them may have shared a common goal, perhaps belonging from the same collective at some point in time, but all of the attacks had a common link – news of the hacks and the information captured were posted to popular code-sharing website Pastebin.

A Code-sharing Website?

Pastebin isn’t a new website, in fact its nearly ten years old. Starting life in March 2002, Pastebin.com went live on September 3 2002 as a creation by Paul Dixon and a group of developers that continually contributed code to the project to help coders share snippets or entire copies of their source code or highly amusing IRC chat logs.

The first ever iteration of Pastebin described itself as:

[A] tool designed to enable collaborative code review via the #php IRC channel. Inspired by www.parseerror.com/paste, but more streamlined and capable of allowing collaboration via IRC by allowing easy modification of  posted code. Another benefit is short urls – http://pastebin.com/333

The code was originally written to operate from a single open-source PHP file with the code posted publicly so that users could hit “view source” to see how it operated. As the site gained additional features such as clipboard and Ruby support, the codebase became too big for one file but remained true to its origins, keeping all of the version information integrated within the files.

Despite numerous copycats, Pastebin remained one of the most popular code-sharing repositories for a number of years until the original creator posted to the website that he was to sell the website. One person that was very interested at the prospect of a sale was Jeroen Vader, a serial Internet entrepreneur of eleven years that was an active user of Pastebin and thought more could be done with the site.

Vader explains:

Pastebin is actually the only website I have ever owned that I didn’t create myself. I have been an internet entrepreneur for about 11 years now, and I have always coded/designed/developed all my projects myself, except for Pastebin. The website was originally launched in 2002. In February 2010 that person put a message on Pastebin that it was up for sale and because I was an active user of Pastebin myself, I quickly found out.

The project interested as I am a programmer myself. When I bought Pastebin in early 2010, the design and interface hadn’t changed for about 8 years, so the first thing I did was create Pastebin V2. This was very well received by the community and the website started to grow rather quickly. Early this year I launched Pastebin V3 which has boosted the websites traffic even more, helped by the introduction of a member system.

The Popular Kid In Class

As social network use became more widespread, interest in Pastebin began to pick up also. Although the service was originally created to share bits of source code and chat logs, members of Twitter – the world’s most popular microblogging service – started to use Pastebin to write messages that were longer than 140 characters, linking to the “pastes” in their Twitter posts.

In just over a year, Vader developed additional features to extend the reach of Pastebin, providing browser extensions, smartphone and tablet apps and desktop applications. With new tools introduced and the release of Pastebin V3, users began creating pastes from their mobiles and other platforms, utilising the service to create quick and easy To-Do lists.

In recent months, Pastebin showed its use as a reliable and easy way to share important data.

In December 2010, Nick Denton’s Gawker Media was targeted by Gnosis, which used Pastebin to host an extremely long readme file detailing server logins, staff usernames and passwords. The paste was associated with a 500MB torrent file posted to ThePirateBay, allowing anyone with a Bittorrent client to download 1.3 million usernames and passwords.

At the time, Gnosis revealed to us that it was not part of Anonymous, although reports have suggested that a number of its members did have associations with the decentralised online community.

Throughout May and into June, Pastebin experienced its biggest traffic in its nine year history. Hacker group Lulz Security (or LulzSec) began posting information related to its most recent attacks to the service (as well as its website and Bittorrent websites), linking to their pastes from its Twitter account.

The group introduced itself with the hacking of Fox’s X Factor contestants database, posting the results to Pastebin on May 7 2011. This was its introduction:

Hello, good day, and how are you? Splendid! We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calender year.

The file listed over 70,000 contestant records, including names, addresses, dates of birth, telephone numbers and email addresses – all captured from Fox’s, then insecure, SQL databases.

Attacks on PBS soon followed, with the group uncovering MySQL root passwords, press passwords, frontline logins and staff user credentials in a revenge attack against the broadcaster after the company aired an “unfair” Wikileaks documentary. The site was defaced, with links from Pastebin taking users to a new page on the PBS website which featured the following image:

Visitors were coming in their millions (the PBS hack “paste” received 26,000 views), but nothing prepared Pastebin for the traffic it was to receive as a result of LulzSec’s attacks on both Sony and a FBI affiliate.

On June 2, Pastebin was deluged with traffic after it emerged that the group had compounded Sony’s troubles by attacking Sony Pictures, compromising over a million users’ personal information, 75,000 music codes and 3.5 million music coupons. The group posted its findings to the service, only for Sony to serve a takedown notice and have the file removed from the website. Unfortunately, by then the file had proliferated around the web, and was cached by Google Cache, showing 155,000 views before it was deleted by admins.

Just days later, LulzSec kicked the hornets nest, targeting FBI affiliate Infragard and leaking its userbase. As a result of the compromise, the group was able to gain information that implicated the US in attempting to control Libyan cyberspace. The number of views the FBI hack has tallied so far? 111,000 visits.

However, the most popular paste is that of an email exchange between Facebook’s PR company and a blogger, with the social network accused of paying for misinformation to be posted about how Google was scraping user data. Sitting at 263,000 views, Vader explains the rush of traffic Pastebin received on May 12:

The most traffic Pastebin ever received was on May 12th of this year. It was due to the big PR fight between Google and Facebook. The item in question was http://pastebin.com/zaeTeJeJ. Pastebin was getting traffic from CNN, FoxNews, Yahoo! News, Mashable, TechCrunch, NYTimes, Bloomberg, Engadget and many more large news websites. I even heard from a few users that they had heard the name Pastebin come up on local TV shows.

All Eyes On Pastebin

With over 500,000 views of just three pastes, the eyes of the (Internet) world have been increasingly turned towards Pastebin. With hacker groups utilising the service, I asked Vader if he had any connection with Anonymous, LulzSec or Gnosis or if he received any prior notice before important pastes were posted to the site:

There is no relationship between Pastebin and Anonymous, 4chan or the LulzSec crew. Usually I never know when a certain Paste is going to become popular. This time with LulzSec there was a 4 hour warning that something big was about to be released. They put out an announcement on Twitter that they would release something important on Pastebin, and when many users were re-tweeting that story, I quickly found out about it.

Understandably, the companies affected will want any evidence of attacks on their servers removed from view. Pastebin, hosting sensitive data taken from such companies, could come under fire for not intervening when it was posted. I asked Vader if Pastebin had come into any trouble with authorities:

Pastebin always complies with requests from authorities. Pastebin is a website that is used by millions of people every month, and some of those people will create pastes with sensitive information in it. We have a good abuse report system in place that is monitored through out the day.

On an average day about 20,000 new pastes are stored in our database, these are not all checked by hand, but every reported item will be checked by a moderator. If a reported item contains private information it can be removed instantly. Also, Pastebin’s hosting company holds a very firm policy about abuse reports. If they get a request from an authority to get something removed, Pastebin instantly gets a 24h removal warning.

If the item is not removed within 24h, the Pastebin servers will be taken offline. This is something that has never happened yet, as I always try to make sure that all abuse requests get handled straight away.

The LulzSec group has since set up its own website to post news of its escapades, but still uses Pastebin to direct visitors to its newly formed portal. Despite its move, other individuals, unhappy with LulzSec’s actions, have begun to rage their own wars, posting up information that seeks to name the people involved with the group, potentially destroying their anonymity but also aligning them with Anonymous.

This led to Pastebin becoming the hacker equivalent of Tumblr, providing the tools to allow people to vocalise their thoughts and out potentially incriminating information.

Pastebin Logistics

Pastebin hosts a “Trending Pastes” section which lists the most popular shares on the service. At the time of writing around half of the top 60 pastes are related to server compromises, whether they are associated with LulzSec’s attacks or listing usernames and passwords of adult sites.

Speaking to Vader about this trend and also asking about his experience running the site, he noted a flaw in the trending charts, remaining humble for the visitors the sensitive pastes have brought to his website:

The trending chart will be reintroduced as soon as the current version has some problems. Many people have been abusing Pastebin to get ranked high in the trends chart. The new version should be better resistant against fake hits, and therefor fake trends listings.

It is great to see that Pastebin is trusted by so many people to be a reliable website that can withstand high amounts of traffic when important information has to be released.

With so much sensitive information hosted on Pastebin, the website itself has been subject to attacks. Vader recalls one such “attack” that saw a user create a large number of new pastes every few seconds:

Earlier this year Pastebin was under heavy attack by a hacker. This person was creating about 500 new pastes per second, all which were very much alike. Each item contained an email address and a message saying that I had to contact that email address if I wanted this attack to stop.

The requests came from thousands of different IP’s, but I managed to stop it for a few minutes until the hacker came up with another type of attack. Eventually I contacted the person in question. He replied that he was very impressed with my infrastructure, and that he wanted to know on what kind of hardware and software I was running.

He was a big fan of Pastebin, and simply wanted to test the infrastructure. Of course I was fuming with anger at the time of the attack. Funnily enough, over time we got to know each other, and since then he has helped me guard off various other attacks.

Despite owning the website for only a year, Vader thinks there is more to come from Pastebin, refusing offers from interested parties wishing to purchase the site from him.

Even though I have received various offers from people to sell Pastebin, I have denied all of the offers as I believe I can make Pastebin much better and bigger than it already is.

With users able to remain anonymous, Pastebin shows no sign of slowing anytime soon. With short URLs and a platform that stays up despite the traffic it receives, users will continue to link from their Twitter accounts when they need to convey information in more than 140 characters.

Get the TNW newsletter

Get the most important tech news in your inbox each week.