Coinhive breached due to old, reused password

Coinhive has suffered another setback: their DNS records have been surreptitiously changed by attackers, allowing them to steal cryptocurrency mined via the project’s script.

What is Coinhive?

Coinhive is a project that provides Monero-mining JavaScript code to website owners who want to earn money but not bombard visitors with ads.

The script uses the visitors’ computers’ CPU power to mine cryptocurrency, ideally with the visitors’ knowledge and consent. Coinhive keeps around 30% of the value of the mined Monero, and delivers the rest to the owners of the sites that sport the mining script.

The project encountered problems almost as soon as it was started, as many of those site owners began using the script without revealing the scheme to their visitors. This led to the initial script being blocked by many ad blockers.

Soon after, attackers began compromising other people’s and organizations’ websites and equip them with the mining script, while pocketing the proceeds themselves.

The latest incident

Coinhive announced on Tuesday that their account for Cloudflare (their DNS provider) has been accessed by an attacker, and that the DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server.

“This third party server hosted a modified version of the JavaScript file with a hardcoded site key. This essentially let the attacker ‘steal’ hashes from our users,” they explained.

They blame the breach on the fact that they used an insecure password for their Cloudflare account. They apparently used the same one for their Kickstarter account, and didn’t change it after the 2014 Kickstarter breach.

“We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account,” they sheepishly noted, and apologized for this oversight.

“We’re looking for ways to reimburse our users for the lost revenue tonight. Our current plan is to credit all sites with an additional 12 hours of their the daily average hashrate,” they added, and assured users that their web and database servers have not been accessed and that no account information was leaked.

“This Coinhive breach perfectly highlights the weaknesses of password-based security. The credentials used to access Coinhive’s Cloudflare account were compromised years ago. These credentials were encrypted but hackers have repeatedly proven their ability to brute-force weak, predictable and re-used passwords,” says James Romer, Chief Security Architect at SecureAuth.

“Despite bringing in 2FA Coinhive was still compromised because they lacked a comprehensive approach to cyber security. Businesses are often lulled into a false sense of security by an expensive patchwork of solutions – on average, companies use a staggering 75 separate cyber-defence systems to police their networks. Without effective interoperability and communication between these parts breaches like this are inevitable.”