All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Be careful when self-hosting public PrivateBin on inexpensive lifetime shared hosting -- it's risky!
To be clear, i don't blame Xhosts.uk for this, this is completely my fault as i let my self-hosted PrivateBin public (which was meant for my personal use only) and even listed it for almost a year, which leads to some bad guy abusing it to post "CSAM" contents and got my 3.5£ lifetime hosting banned.
Here's what happened:
At 18/02/2026 22:10 (10:10 PM) my time, i got this email called "Notice of Account Termination – Policy Violation"
I replied and tell them this:
Xhosts.uk then replied with this:
at this point, i was really surprised. The link provided in above screenshot was indeed from my domain. but the content wasn't uploaded by me, and even if i can still access my control panel to see the content inside, i won't be able to know what was posted and who posted it, because everything is encrypted, and that's by design.
So, i apologized, explained what happened and offered to take down the entire PrivateBin instance. to which, Xhosts.uk understandably replied:
which is good what they do, by the way, for not reinstating my service. because somone could use this to abuse the limit, to test what they can do before actually getting banned permanently.
And so, i learned my lesson the hard way. I lost my 3.5£ lifetime hosting which i had for almost a year, and i possibly can no longer use their service because of this.
I just want to share this here as a PSA, because apparently self-hosting a user-generated content type website is not a good idea. Stupid, i know.
Comments
Oh wow. Well, now everyone knows how to get any xHosts service they don't like shut down. I can see why that trick is so popular these days. It's surprising considering they allow Tor exits which can result in quite a large amount of that stuff.
But INHOPE is not a law enforcement agency? They even said they simply CCed the message to law enforcement. So I expect, unless there is a report they didn't forward, that you should be able to appeal (assuming their reasoning denying the appeal was not invented post hoc).
You fucked up, Im siding with the host here cause hes not sure if hes dealing with innocent bystander who got used or culprit who just plays innocent and does it again somehow else.
I lost the ability to appeal when they said that, which i understand why, and wouldn't push further with it.
yeah, i don't argue with that, this was definitely my fault. but now i realise that any other instances of PrivateBin listed could have the same fate as mine if someone abused it again
I don't think it's your fault at all. It's not unexpected that someone paying for a hosting service would expect that their only obligation is to make sure that bad content is promptly taken down. Otherwise, no serious website would be able to exist.
Now, if you kept receiving report after report and didn't take the content down yourself, then that would be neglectful and any non-bulletproof host would remove you. xHosts is under no legal obligation to terminate you when you broke no policies or laws (although they of course have that right), but people naturally panic when they receive reports of that kind.
The one thing that bothers me is the statement:
Because it wasn't reported by law enforcement. So is the answer "well, we said that but what we really meant is that there are no appeal options when this issue has been reported by any hotline"? Because being excessively strict as a CYA measure is one thing, but giving (at least at first glance) false reasoning is different.
Additionally:
This is a patent falsehood. They have the right to remove any account they choose and for any reason, but they should not be claiming that they are required by law to do so. They are only required by law to remove the content quickly when it is reported to them and, if they receive a data preservation request or subpoena, to comply with the text.
"I don't have time to deal with this shit from a £3.50 lifetime account" is one thing, but it's inappropriate to make up false claims that ones' hands are tied when they are not, regardless of whether the suspension is justified.
Well, you didn't lose much, and making a public-facing pastebin service has it's risk, it's on you.
it's true that this was unexpected, that i had no control over what was posted. but according to their web hosting policy (link on the screenshot), i did violate the rules. and again, i don't blame Xhosts.uk for enforcing these rules
yup, learned the hard way myself, and i get the value out of it anyway, so 3.5 pounds for almost a year is not really a bad deal
Indeed, but this does indicate that xHosts is positioning itself as a web host for private, hobbyist content only, not for any kind of public, interactive website (forums, blogs with comments, etc.) or any other such content.
The typical response from providers that are willing to host serious websites is:
For small accounts, the service is often suspended during this process. For large accounts, the service remains online (after all, no one expects Facebook to go down every time someone reports something illegal, but £3.50 one-time is far from large).
Any serious host will understand that if you're accepting user generated/uploaded content, that these things can unfortunately happen. Even if you're filtering/screening/PhotoDNA etc.
However, if you've only paid them 3.50 for a lifetime account, I get them saying it's not worth it for them to continue dealing with it.
That's true, but shouldn't all customers be treated equally? While a dirt-cheap account may tip the weight in favor of "maybe this guy isn't legit", I don't think there was any question that OP was not the abuser themselves, right?
Not to mention, the tickets in the screenshot frame the situation as if the provider's hands were tied, which is false. They should have just said they don't want to deal with this from a customer who is not earning them anything, not that they are somehow legally required to terminate the account (as opposed to being required to remove the content, which they are).
Wow, they didn't even give you a server backup?
To be fair, it would probably have required them to go through the server's database to remove the offending content, which no one is going to do for a cheapo lifetime web host plan.
And OP is just writing a PSA so others are aware, not explicitly complaining.
i appreciate your comments on this issue. this might be seen as unfair for me in a way, but at the end of the day, i let this happened in the first place. so, well, it happened, and i kinda already made peace with it XD
nothing much in there anyway so i'm fine
Just imagine if you were running a forum with hundreds of members and one of them got mad at you and decided to spam that shit to take the forum down! That would be a lot more frustrating. :P
i would be really mad lol.. but then, a forum with hundreds of members would use something a bit more expensive, and not some cheap lifetime hosting. and they would have more power to talk with the provider. unlike a random john doe like me, who use unprofitable lifetime hosting XD
inhope is an NGO that operates as a semi-governmental organization. these excesses with these NGOs in germany are perverse. don't get me wrong, CSAM is disgusting, but these issues must be investigated by the police and not by private organizations that are funded by the state but otherwise largely escape control and the rule of law.
Indeed. There are countless examples of organizations like NCMEC using bot farms that report non-issues. There's even a "fun" technique (which I won't describe here) which allows me to, using one of their APIs, remove almost any image or video from Facebook, X, Instagram, etc. with no oversight or confirmation.
Governments are lazy and would rather pretend they're doing something by offloading it onto organizations that don't have the same strict oversight and due process requirement that they do.
SHOCKED PIKACHU FACE
Year is 2026, people still think "I didn't do it, I just host stuff!!!!!" applies to them.
Well, it's true. Or do you think that the LET admins are responsible for everything posted here, even if they take care of removing illegal content? It's not like OP posted an imageboard with no moderators and then linked it on 4chan and said "have at it guys!". He hosted a text site that doesn't even have the ability to store images.
This is just a case of a low-end provider getting spooked by a report from a hotline, confused it with a court order (judging by their claim that they thought INHOPE was a law enforcement agency), and on top of it all, this involved a dirt-cheap lifetime account that earned them nothing. The only real upshot is that low-end plans get low-end support.
Actually, under UK law at least, yes they are responsible for everything posted here, which is exactly why they have to remove the offending content if it appears.
It hosted whatever binary files were uploaded to it. It absolutely did have the ability to store images.
They're responsible for removing it. If someone posted that content here, the admins would not get arrested for possession and distribution as long as they remove it promptly. That's not unique to the UK either. The US is similar.
Ah, I didn't notice the paste sites had an "attach a file" option. My bad.
true, which is why i couldn't possibly know which one is what image if any, i can't even open the file myself, it's all jumbled there, encrypted
it is a paste site, with "attach a file" can be enabled in config. which i did enable it, which adds to another of my mistake here lol
my guess this guy used this "attach a file" feature to upload image, which will then show up the image. i opened the privatebin instance list and found a page that also has file attachment enabled. this website could probably be abused the same way as mine
Well yeah. That's what I'm saying too - hence why I said they had to remove the offending content. If they don't remove it promptly, then they are responsible for the content. What qualifies as "promptly" probably depends a lot on your lawyers if law enforcement actually decided to prosecute for distribution of CSAM.
The reason I mentioned the UK is the new online safety act requires for pre-emptive screening not just relying on getting a takedown notice. If you're not actively making sure all your content is compliant, then yes you can be held liable.
Yep, I just edited my post after realizing that some of them have file upload support.
At least in the US and EU, it's a fixed number of hours. Is it variable in the UK?
Isn't that only for hosts of a certain size? Or did they not realize that people with blogs with comments would be unable to afford preemptive scanning when they signed that law?
In an ideal world, but unfortunately we're far from that. Perhaps if it were a host that champions freedom of speech, then they may be more willing to deal with the extra hassle.
That's the foundation of the internet. Legally, service providers aren't held liable for their user's actions (within reason - can't be promoting illegal activity or ignoring reports).
Though many hosts will have something in their ToS about instant account closure for stuff like this, there are plenty of major hosts out there who are fine with it as long as you deal with reports in a timely manner, or provide them a tool to takedown content themselves.
No, it's 48 hours maximum AFAIK.
Maybe I'm wrong though, but I suspect if you run a site with a lot of traffic, it wouldn't be considered acceptable to keep such material up for e.g. 47 hours after it was reported, and if you kept doing that then probably you would still be prosecuted for facilitating distribution.
No, it's everyone. That's one of the big problems is that it basically means that only huge mega corps can afford to hire enough people to comply with the regulations. That's why loads of blogs in the UK have now removed/disabled the comment sections.
And it's not just CSAM, it's basically anything that could be deemed harmful to children, e.g. if it's text about encouraging self-harm or worse. If you have any unmoderated comment section at all, it's now a massive liability.
if only they knew i was there, ready to take the website down entirely, as soon as i got the email telling me about the termination. they even tell me to contact them if i think it's an error, in 72 hours period. but as soon as i explained to them, they tell me (as the post says) "no appeal options"