PwnBin: A script for scraping Pastebin for leaked API keys, SSH credentials

Pastebins, apart from being a great help for programmers as they offer a place where one can store text online for a set period of time and share it with others, are also loved by hackers who often use them to leak stolen credentials – mostly usernames and passwords to popular online services, but also other types of sensitive credentials.

Finding out if your API keys and other critical credentials have been compromised is crucial for developers and system administrators, and Canada-based developer Luke Mclaren has created a script that can help them see if they were dumped online.

It’s called PwnBin, and it crawls through public pastebins for specified keywords.

These keywords can be changed by the person who deploys the script but, by default, it searchers for passwords, SSH credentials, API keys and tokens.

Mclaren told Softpedia that, in time, he intends to upgrade the tool and add support for crawling other pastebins (it currently only trawls through Pastebin.com), add an option that will allows the ranking of results according to relevance, and possibly even database integration.

Finally, he also allows for the possibility that he would create a site similar to Troy Hunt’s Have I Been Pwned?, which would allow developers to discover whether their API keys have been compromised.