Coinhive said hackers managed to hijack its DNS server, tweak its settings and briefly redirect their generated cryptocurrency over to a third-party server. The cryptominer maker said on Tuesday (24 October) that hackers used an old password for its Cloudflare account that it said was likely leaked in the Kickstarter data breach in 2014.
The team said hackers used the old password to reconfigure Coinhive's DNS settings and briefly replace DNS records that pointed its domain to a new IP address. The new, third-party server hosted a modified version of the coinhive.min.js file that included a hardcoded site key.
"This essentially let the attacker 'steal' hashes from our users," the Coinhive team said in a blog post on Tuesday.
As a result, thousands of sites worldwide that loaded the manipulated script to mine Monero actually did so for the hacker rather than legitimate site owners. The hackers reportedly had control over Coinhive's domain name for around six hours.
However, Coinhive said no account information was leaked and its web and database servers were not accessed in the attack. However, it did not specify how much revenue was potentially lost during the attack.
"We have learned hard lessons about security and used 2FA [two-factor authentication] and unique passwords with all services since, but we neglected to update our years old Cloudflare account," Coinhive said. "We are deeply sorry about this severe oversight."
The company said it is currently looking at ways to reimburse users for the lost revenue.
"Our current plan is to credit all sites with an additional 12 hours of their the daily average hashrate. Please give us a few hours to roll this out," the team said.
Hackers also recently inserted Coinhive miner code into popular fact-checking site Politifact to secretly mine cryptocurrencies.