More than 300,000 credentials, usernames and passwords, were posted on the clipboard website Pastebin.com in the year 2013 alone according to a recent analysis by a Swiss security firm.
As part of an experiment to determine how big the hacking industry is, High-Tech Bridge, a company until now perhaps better known for spurring the formation of Yahoo’s bug bounty program last fall, scoured through information Pastebin users posted to the site during the last 12 months.
The group found 311,095 username/password pairs in total, a number that translates to about 1,000 user credentials per leak, according to a post on the firm’s site today.
At just shy of 41 percent of the leakages found, credentials belonging to email systems took the largest slice of the pie. In particular Gmail and Yahoo mail users accounted for nearly 50 percent of the compromised credentials. Users still clinging to Hotmail accounts and Russians who use the mail.ru platform followed up with about 8 percent and 5 percent of the compromised email log-ins.
The group also discovered something that anyone who’s ever been to the site has likely been able to deduce: There’s a lot of clutter to sift through as well.
The group found and filtered through a lot of what it calls “garbage,” mostly minor information leaks—breaches affecting groups fewer than 100 users, blatantly fake/forged claims of hacks and copies of previously reported hacks.
Administrators on the site regularly remove information, especially when it’s sensitive, so forensics experts at High-Tech used “Google’s cache and other tools” to track information that was previously removed.
Pastebin has long been thought of as a den of iniquity of sorts as far as websites go – the site has served as a treasure trove of secrets, sensitive information and as the folks at High-Tech Bridge have proved, plenty of usernames and passwords. In 2012, the site was a destination for hackers with Anonymous and Lulzsec, so much so the site’s owner said at the time he was planning to hire more staff to patrol the site to erase sensitive information.
While the 300,000 figure pales in comparison to the staggering amount of information stolen from Target in November and December, Ilia Kolochenko, High-Tech Bridge’s CEO, acknowledged that his firm’s research uncovered just a small part of the problem.
“These 300,000 [credentials] are just a small percentage of the stolen information posted publicly by hackers. It’s impossible to make a precise estimate of how many user accounts were really compromised, but I think we can speak about several hundreds of millions at least,” Kolochenko said.
Last October Kolochenko prompted Yahoo to revise its bug bounty program after he famously reported receiving two scant $12.50 company store discount codes for discovering a pair of cross-site scripting (XSS) bugs.
Facing a torrent of bad publicity, Yahoo revamped its policy and claimed going forward it would reward researchers who responsibly report “new, unique and/or high-risk issues” with between $150 to $15,000.