Coinhive, the Monero miner maker that has proven a hit with ‘pirate’ sites, has been hacked as the company failed to update a password that was at least three years old.
The company said on Tuesday that hackers had used an old Cloudflare account password to reconfigure coinhive.com’s DNS settings.
The method that the hackers used to access the company’s DNS provider lay in a basic security error.But,the good news is the team stressed that no user account information was leaked and that its website and database servers were uncompromised.
In their official statement company said “The root cause for this incident was an insecure password for our Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014. We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account.”
The company hasn’t revealed how long the unauthorized redirect stayed in place for, but it appears that all coins mined on sites hosting Coinhive’s script were ‘stolen’ during the period, instead of being credited to their accounts.
coinhive said they will reimburse the users for the lost revenue. The plan is to credit all site owners with an additional 12 hours of Monero mining based on their daily average hashrate. One Monero coin, 1 XMR, is worth about $89 right now.
As company said the Credential is leaked from Kickstarter hack used to hijack Cloudflare DNS highlighting the dangers of reusing pass phrases and not setting up two-factor authentication for everything. It demonstrates how dangerous it is to reuse passwords for multiple accounts on the web.