Published: 2026-05-24

Paste sites are the path of least resistance for data exfiltration and sharing. They require no account creation, no email verification, offer optional expiry timers, and the resulting URL is immediately shareable. When a threat actor extracts a credential list, configuration file, or database dump, uploading it to Pastebin or a mirror service is typically the first step — before selling it on forums, before distributing through encrypted channels, before using it operationally.

OSINT researchers who monitor paste sites therefore see leaked data earlier than most commercial threat intelligence services. The gap between paste creation and ingestion into major breach databases can range from hours to weeks. That window is where paste OSINT delivers unique value.

The major paste surfaces worth knowing: Pastebin.com remains the highest-volume platform and is partially indexed by Google. ghostbin.com and privatebin.net offer encrypted pastes and self-hosting options. hastebin is common in developer workflows and occasionally leaks internal tooling. rentry.co and dpaste.com see use for code dumps. psbdmp.ws is a third-party aggregator that bulk-indexes Pastebin content and exposes it through a search API, making it the primary entry point for automated paste OSINT.

Beyond the mainstream: Tor-accessible paste services exist specifically to evade takedown. Ahmia.fi indexes a subset of these. Intelligence X (intelx.io) ingests from dozens of sources including Telegram channels and dark web boards where paste links circulate after initial posting. These are more comprehensive but require paid API access.

psbdmp.ws exposes a straightforward REST API. To search for a string:

curl "https://psbdmp.ws/api/search/v3/target@example.com" | jq .

The response is a JSON object containing paste IDs, approximate timestamps, and content snippets that include the search term. To retrieve full paste content, fetch it from Pastebin directly using the paste ID:

curl "https://pastebin.com/raw/<paste_id>"

Rate limiting applies. psbdmp enforces request caps on the free tier. For sustained monitoring you need either the psbdmp API key tier or a queuing system that spaces requests appropriately.

The key limitations to internalize: psbdmp captures public pastes only, and only those it indexed before deletion or expiry. Pastebin allows paste creators to set pastes as unlisted or private — these never appear in psbdmp. Short-lived pastes (set to expire in 10 minutes) are frequently missed entirely. And psbdmp's search is exact keyword matching — no fuzzy matching, no regex, no phonetic similarity. A credential list where the email is stored as target [at] example [dot] com will not match a search for target@example.com.

For high-stakes investigations, do not rely solely on psbdmp. Cross-reference with Intelligence X, run domain-based searches (search for the domain without the local part), and check GitHub Gists separately — gist.github.com is a common paste alternative that psbdmp does not index.

Not every paste match is useful. A single hit of your search term in a paste doesn't necessarily mean the paste is an exposure event. Context determines value.

Structural patterns that indicate a paste contains actionable intelligence:

• Credential list format: Lines structured as email:password, user:hash, or login:token. Thousands of lines suggest a database extract. Dozens of lines may indicate a targeted credential harvest.
• Configuration file patterns: Lines matching DB_PASSWORD=, API_KEY=, SECRET_KEY=, AWS_SECRET_ACCESS_KEY=. These indicate a developer accidentally pasted a .env file or a CI/CD secret was leaked in a build log.
• Source code with hardcoded secrets: Happens when developers paste code for help or debugging. Tokens embedded in strings, connection strings with credentials inline.
• Dump headers: Database dumps often begin with comments identifying the database name, export date, and sometimes the MySQL/Postgres version. These help establish provenance and breach timeline.

Paste age matters in both directions. An old paste referencing your target confirms historical exposure even if the credentials are rotated — it tells you the email address was involved in a breach not yet in known databases. A fresh paste is potentially exploitable right now, which shifts the response priority entirely.

A paste that shows your target's email adjacent to a password string — even partial, hashed, or encoded — is evidence of breach exposure beyond what HIBP reports. HIBP depends on breach operators submitting data. Many smaller breaches, especially from smaller services, never make it into HIBP's dataset at all. Paste monitoring catches some of these.

A paste hit is a pivot point, not a conclusion. The value of finding a target in a paste is what it unlocks in subsequent investigation steps, not what it proves on its own.

Correlation paths from a paste finding:

• Email found in paste → run search_breach to cross-reference known breach databases → run search_email (holehe) to enumerate active platform accounts registered under that email.
• Username found in paste → run search_username (sherlock) to find the same handle across 400+ platforms. Usernames in pastes are often real handles, not throwaway IDs.
• IP address found in paste → check search_ip for geolocation and ASN context → check search_abuseipdb for reputation and reported abuse incidents. IPs appear in paste context as server logs, SSH connection lists, or admin panel access logs.
• Domain or subdomain found in paste → run search_whois for registration details → run search_domain for subdomain enumeration. Domains appear in pastes as infrastructure identifiers, mail server configs, or database connection strings.
• Infrastructure credentials found (AWS keys, database passwords, API tokens) → do not probe the systems. Alert the affected organization through responsible disclosure. Using leaked credentials is illegal in most jurisdictions regardless of investigative intent.

OpenOSINT's AI agent handles this correlation automatically. Pass a paste URL or the email/username found in a paste as the investigation target, and the agentic loop will issue follow-up tool calls based on what each tool returns. The analyst states the initial finding once and receives a consolidated multi-source report.

# Example: OpenOSINT paste-triggered investigation
$ openosint
> I found target@example.com in a paste at pastebin.com/abc123. Investigate.

[search_breach] Checking breach databases...
[search_email] Enumerating accounts...
[search_paste] Cross-checking paste databases...
[search_whois] Checking example.com registration...

One-time paste searches are useful for point-in-time investigations, but paste monitoring is most valuable as a continuous process. The window between a paste being created and being acted on by threat actors is typically hours to days — sometimes less. Defenders who monitor paste sources can detect exposure within that window and respond: rotate credentials, revoke API tokens, notify affected users, and initiate incident response before the damage compounds.

psbdmp includes timestamps for each indexed paste. That timestamp is when psbdmp's crawler captured the paste, not necessarily when it was originally posted to Pastebin. Pastebin's own API (for paying API subscribers) provides the actual creation time. The delta between these two timestamps tells you something about crawler latency and therefore how much time elapsed before the paste entered the searchable index.

For defensive monitoring setups: maintain keyword lists of your organization's domains, executive names, internal service names, and IP ranges. Run automated psbdmp queries on a schedule (hourly or every few hours for high-priority targets, daily for lower-priority). Alert on new hits. Feed confirmed hits into your breach tracking workflow for documentation and response.

For investigators building timeline reconstructions: paste timestamps combined with forum post timestamps and breach sale listings can establish a reasonably precise timeline of when data was exfiltrated, when it was shared, and when it first appeared in criminal markets. This is useful both for legal proceedings and for victim notification — knowing how long credentials have been exposed informs how urgently account holders need to act.

OpenOSINT's search_paste tool wraps psbdmp search and returns structured results that feed directly into the AI agent's correlation loop. Combine it with email OSINT for the most complete exposure picture from a single starting point.

• Email OSINT Guide — Techniques for investigating email addresses including account enumeration and breach correlation
• Breach Check with Open Source Tools — How to query HIBP and other breach databases from the command line
• What Is OSINT? — Foundational overview of open source intelligence methods and tooling