A Coinhive representative disclosed to Technology site Bleeping Computer that the episode happened on October 23, at around 22:00 GMT, and was found and corrected a day later. The hacker logged into the organization’s Cloudflare account and supplanted DNS records to point Coinhive’s domain toward another IP address.
“The root cause for this incident was an insecure password for our Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014,” the company told the publication. “We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account.”
Subsequently a large number of sites around the globe installed this modified Coinhive script that mined Monero for the hacker, rather than genuine site proprietors, analysts said.
Tim Helming, director of product management at DomainTools called DNS credentials the keys to the kingdom and that the breach underscores the dangers inherent in both data breaches, and poor password practices.
“Coinhive have suggested this incident was likely as a result of the Cloudfare data breach in 2014, and their failure to update the account in question after the fact,” Helming said. “While data breaches are something of a fact of like in the current cyber-world, a company such as Coinhive should have had two-factor authentication in order to limit the damage to purely a data incident.”
He said the fact that this incident allowed the hacker to mine Monero means that Coinhive had to learn relatively simple lessons, the hard way.
For more on securing passwords:
How secure is your password?