Pastebin: From programmers tool to hacker playground

The word pastebin just means a Web application where you can store text—the idea was developed as an easy way for programmers to store large chunks of source code, either to show people how a certain program works, or to collaborate on projects. Pastebin.com, which started in 2002, is probably the most famous site of this type, and according to a tweet from the company last year, has crossed 20 million “active” pastes, with active being defined as pastes still available on the site that are not identified as spam.

Once the text—any text at all—is pasted, other users can edit it, which makes it useful for programmers. Each of these edits has a unique address, which makes it easy to share large pieces of text on social networks.

This is how a lot of people here have become familiar with the site recently. Someone anonymously posted letters from Tehelka’s Tarun Tejpal and Shoma Chaudhury to the website at this link; then circulated on social networks like Twitter and Facebook.

But while the site might owe its origins to programmers and code, it is most famous today as a space for hackers. People use the site to publish things like credit card numbers and account passwords.

In July 2011, hacker group LulzSec (which would later become famous for its attacks on various world government bodies’ Web presence, including the American CIA and the British Serious Organised Crime Agency, as it was then known) used Pastebin.com to share data it had stolen from Sony Pictures and Fox.com. Malicious scripts are frequently shared on the site, which is often used by hacker groups as a place to brag about their exploits.

The same year, hacker group Gnosis published usernames and passwords of employees of Gawker Media, a US Web publishing company, putting the whole list up publicly on Pastebin. This was just a fragment of the list, and the full file, with user data was meanwhile uploaded using torrents posted to ThePirateBay, a list of over one million usernames and passwords.

So how did a programmer’s tool become a hacker’s playground?

You don’t need an account to make a paste. You can determine who gets to see it, and for how long. You can post anything, anonymously. And you have a short link which you can share freely and easily. The various entries aren’t even checked by hand; instead Pastebin relies on a system where users report bad posts—necessary because several thousand posts are created every day.

Admittedly, you could create a fake Facebook profile, post a long note as public, and link to that as well. But with Pastebin, you are ready to go in seconds, and there’s nothing to link you with the text that’s been posted, unless you want it to be there.

If you’re trying to publicize a lot of text-based information, anonymously, Pastebin is the perfect tool, and hacker groups were already familiar with it as programmers. As a result, hacker groups like Anonymous and LulzSec started using the site extensively to brag about their accomplishments—so much so that the site’s owner, Jeroen Vader, posted a statement that there is no relationship between his site and the various hacker groups that use it. He learns about hacker posts through Twitter, like everybody else.

But much like the hacker groups themselves, Pastebin was due for a change. Around 2011, led by Anonymous, hacker groups were getting political. From hacking government websites to working as online vigilantes, these groups were starting to build a new focus, and if you look at the Trending Pastes section of the website, you see “Leaked by Anonymous”, by an unidentified user, which contains an encrypted string linking people to personal information on G20 leaders, and information on oil company leaders; “Open letter to Microsoft—by Anonymous”; and many other posts which don’t have anything to do with programming at all.

For leakers who want to release text data—such as the internal letters of a company, for example—a Pastebin is a great option for the exact same reasons that it appeals to hackers; it’s anonymous, it’s easy, and the platform is used to handling huge amounts of traffic, so unlike a small server, this won’t become unavailable no matter what. And then the links circulate on Twitter.