Hacker Takes Over Coinhive DNS Server After Company Reuses Old Password

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
An unknown attacker has hijacked Coinhive's DNS server and replaced the legitimate Coinhive JavaScript in-browser miner with a malicious version that mined Monero for the hacker's own wallet.

According to a Coinhive spokesperson, the incident took place yesterday, October 23, at around 22:00 GMT, and was discovered and resolved a day later.

Coinhive says the hacker logged into the company's Cloudflare account and replaced DNS records, pointing Coinhive's domain to a new IP address.

This new server pushed a custom version of the coinhive.min.js file that contained a hardcoded site key.

Thousands of sites around the world loaded this modified Coinhive script that mined Monero for the hacker, instead of legitimate site owners. A Coinhive spokesperson told Bleeping Computer the hacker had control over its domain name for about six hours.

Coinhive blamed the incident on password reuse
"The root cause for this incident was an insecure password for our Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014," the company said. "We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account."

Some users are probably happy about Coinhive's breach
Coinhive is a service that launched in mid-September and allows site owners to load a JavaScript file on their websites and mine Monero using their users' computers.


While the service advertises itself as a legitimate business and possible alternative to online ads, the service has become a favorite among malware devs.


Various Coinhive clones have popped up across the Internet, and even Google is currently exploring ways to block in-browser cryptocurrency miners after the repeated abuse. Most users view Coinhive and similar technologies as malware because most sites and browser extensions don't ask for permission before launching the mining behavior.
 
  • Like
Reactions: Weebarra

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top