A Coinhive spokesperson told Bleeping Computer the incident occurred on 23 October at around 22:00 GMT, and was discovered and resolved a day later. The attacker reportedly logged into the company's Cloudflare account and replaced DNS records ultimately pointing Coinhive's domain to a new IP address.
"The root cause for this incident was an insecure password for our Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014," the company told the publication. "We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account."
As a result thousands of sites around the world loaded this modified Coinhive script that mined Monero for the hacker, instead of legitimate site owners, researchers said.
Tim Helming, director of product management at DomainTools called DNS credentials the keys to the kingdom and that the breach underscores the dangers inherent in both data breaches, and poor password practices.
“Coinhive have suggested this incident was likely as a result of the Cloudfare data breach in 2014, and their failure to update the account in question after the fact,” Helming said. “While data breaches are something of a fact of life in the current cyber-world, a company such as Coinhive should have had two-factor authentication in order to limit the damage to purely a data incident.”
He said the fact that this incident allowed the hacker to mine Monero means that Coinhive had to learn relatively simple lessons, the hard way.