Hackers hijack Coinhive cryptocurrency miner through an old password

Yet another lesson in how not to secure your network.
Written by Charlie Osborne, Contributing Writer

Video: How focusing on data security can help your business

Coinhive has admitted to a security breach leading to hackers hijacking cryptocurrency mining scripts on legitimate websites.

The cryptocurrency mining software provider said this week that at approximately 10 pm GMT on Monday, the firm received a note from its DNS provider, Cloudflare which warned Coinhive that its account had been accessed by a threat actor.

The DNS records for coinhive.com had been manipulated to redirect requests for coinhive.min.js to a third-party server, containing a modified version of the JavaScript file with a hardcoded site key.

The Coinhive Javascript is embedded by users into their websites as a way to mine for the cryptocurrency Monero, but the attackers were able to hijack this script to ensure mined funds entered a wallet they controlled rather than user wallets.

"This essentially let the attacker "steal" hashes from our users," Coinhive says.

The script used to implement cryptocurrency miners in website domains is a new, albeit controversial idea.

Mining for virtual currency is being examined as an alternative to third-party ads as a way to generate revenue and it was the Pirate Bay's pilot trial which propelled the idea into the spotlight.

Due to a coding error, users spotted the website's miner as it pulled huge amounts of CPU power from visitor systems, rather than 20 to 30 percent as originally intended.

Following visitor backlash, the Pirate Bay admitted to testing the miner as a "way to get rid of all the ads."

Other parties have begun exploring mining, too. According to a report from Adguard, 2.2 percent of the top 100,000 websites on the Alexa list are now mining through user PCs -- but few are asking for permission first.

Coinhive miners are currently stopped from operating by many adblockers, but for websites using the software to generate cash, losing their hashes would likely be met with annoyance.

Read also: Imminent Bitcoin Gold fork met with skepticism

It appears that the Cloudflare account credentials may have been leaked in the Kickstarter data breach.

In 2014, hackers were able to access some accounts and steal customer usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.

Since the passwords taken were encrypted, it may be that Coinhive's Cloudflare password was particularly weak and susceptible to a brute-force attack.

The company, however, is nothing if not honest about where the true blame lies.

"We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years-old Cloudflare account," Coinhive says. "We're deeply sorry about this severe oversight."

Thankfully, for users, no account information was leaked and Coinhive's web domain and database servers were not accessed.

In order to smooth over the security incident, Coinhive plans to credit all websites using the script with an additional 12 hours of their the daily average hashrate.

Must-have mobile apps to encrypt your texts and calls

Related stories

Editorial standards