The man who runs Pastebin says he is going to crack down on people using the site to post stolen data. Jeroen Vader says he will not only bring in extra staff, but will attempt to proactively monitor the site.
In theory at least, Pastebin (which is the name of a specific site as well as the name of a concept) is meant to be used for posting text that is too long to fit in another medium. Examples can include Twitter users posting lengthy messages that won’t fit in a single tweet, or people discussing coding in a chatroom who don’t want to clog up the chat by posting a long sample of code. One of the beauties of pastebins is that because they only contain text, it’s possible to store a huge number of messages indefinitely without having major worries about server space.
In practice, Pastebin has become hugely popular for “hactivist” groups such as Anonymous or LulzSec, both as a way of posting instructions for taking part in an attack (such as a distributed denial of service) and as a place to post stolen data such as login details or email dumps. At the time of writing, nine of the ten most popular sites appeared to be linked to hacking or other online attacks, mainly as lists of suggested targets.
As well as asking users not to post spam or porn, Pastebin has an acceptable user policy that bans posting of stolen source code, personal information, and email/password/login lists.
In the past the site has used a passive monitoring system under which it investigates reports of breaches: Vader told the BBC he gets around 1,200 such reports a day. In the future, though, the site is going to take on additional staff who will actively seek out potential abuses. Vader says it is “pretty impossible” to catch abuses with automated filters, while the site’s FAQ suggests the monitoring will involve checking any post that receives “unusually high traffic.”
The change in policy could mean a short-term financial hit. As well as having to spend extra on staff, Pastebin will lose banner ad revenue from popular posts that breach the rules.
Vader noted that although Pastebin logs IP addresses for spam prevention purposes, they would only ever be handed over to authorities when there is a valid court order requiring it.