A new attack performed by a yet unknown group of hackers made its target on Coinhive the Cryptomining website, managing to hijack the website’s DNS.
Two days ago (October 24), hackers used Coinhive’s CloudFlare account which was leaked in the 2014s’ Kickstarter data breach to hijack the website’s DNS server, reconfigure its options and redirect the hash rate of hundreds of clients to an external server. The new, external server hosted a modified version of the coinhive.min.js file that included a hard-coded site key.
Coinhive representatives also gave a small explanation about what had transpired in a blog post on the same day the attack was performed “This essentially let the attacker ‘steal’ hashes from our users.”
The experts at Coinhive also declared that the method used by the Hackers to access Coinhive’s Cloudflare was using an old password which allowed them to change Domain Name Server settings and replace its domain to a new IP address.
Consequently, during the six hours, the Domain Name Server (DNS) was owned by the hacker group, thousands of sites across the globe that used the script to mine Monero actually did so for the hacker rather than the site owners.
Regarding this fault in security, representatives in Coinhive extended their apologies to the community and said in an interview, “We have learned hard lessons about security and used two-factor authentication (2FA), but we neglected to update our years old Cloudflare account.”
Although the DNS was briefly owned by the hacker, according to Coinhive no account or information regarding users’ data was leaked. The company also said it is evaluating ways to reimburse users for the lost revenue.Coinhive did not give an exact number on how much financial damage was done during the attack.
After a few hours of announcing they were looking for ways to reimburse users, the company released their plan “Our current plan is to credit all sites with an additional 12 hours of their daily average hash rate. Please give us a few hours to roll this out.”