After failing to update its three year old password, a renowned cryptocurrency mining service called Coinhive has been hacked recently. It has been reported that the site’s DNS records were changed which provided the perfect opportunity for hackers to steal their user hashes. The service has been highly popular among the pirate sites but resulted in being hacked as it lacked security measures.
About a month earlier, a JavaScript miner was secretly added to its Pirate Bay. Later, the site users observed that their CPU usage had increased tremendously. As a result, it raised a red flag. It has been found out that the website was tracking a miner operated by Coinhive.
However, many users did not take this decision very positively as they believed the company needed to take permission from them. Nonetheless, it was found that adding a miner generated additional revenue for the website, a decision which was later copied by many other sites.
Also Read: Metronome brings competition to Bitcoin
Here’s the twist – An unnamed attacker redirected user mining traffic
Coinhive is facing a highly daunting and unexpected challenge as it disclosed earlier this week that an external attack took place on its mining traffic. The company revealed that on Monday night that its DNS records had been accessed by a third-party that gave room to an unnamed attacker to redirect its mining traffic to a controlled server.
Coinhive gave a statement saying:
“The DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server. This third party server hosted a modified version of the JavaScript file with a hardcoded site key. This essentially let the attacker ‘steal’ hashes from our users.”
Although the site did not explicitly disclose the duration during which the unauthorized access lasted but it looked like all coins mined on websites using Coinhive’s script were stolen. Therefore, the coins were not credited to user accounts.
Regardless, Coinhive is denying the leak of any user account information and claiming that the sanctity of its servers and website is still intact. But one cannot deny that the method used by hackers to access its DNS provider clearly reveals major security loophole by the company.
Quick Read: This malware can steal your money by tapping your smartphone
Kickstarter also faced similar breach in 2014
Similar episode happened with Kickstarter which was attacked in 2014 due to a major security breach. Kickstarter was a crowd-funding platform (used by Coinhive). It shut down its unauthorized access, improved its systems and advised its customers to follow the same steps.
One cannot deny that Coinhive was responsive to secure its data after the warning but it failed to protect its Cloudflare account password. Experts suggest that this password was unchanged post Kickstarter attack 3 years ago. Subsequently, it became the most likely reason for DNS breach this week.
In its statement, Coinhive also said:
“The root cause for this incident was an insecure password for our Cloudflare account. It was probably leaked with the Kickstarter data breach back in 2014. We have learned hard lessons about security and used 2FA and unique passwords with all services since. However, we neglected to update our years old Cloudflare account.”
Read More: 1 out of 10 Kickstarter projects fail to deliver rewards
Kickstarter, however, issued a hidden warning earlier this month that 2014 issue is still lingering but did not take Coinhive’s name in the post. Kickstarter posted an update saying that some of its customers are getting prompts from notification service asking for more information about the breach.
Coinhive promises to reimburse
On the other hand, Coinhive has handled the matter well by issuing an apology. Moreover, the company has also committed to reimburse for the sites losing revenue due to DNS attack.
Their apology stated:
“We’re deeply sorry about this severe oversight. Our current plan is to credit all sites with an additional 12 hours of their daily average hashrate. Please give us a few hours to roll this out.”
Also Read: BlueBorne – All it takes is 10 seconds to get your device hacked
Although the attack posed a threat to Coinhive’s image but its decision of transparency and the compensation offer have enabled the company to not drastically lose the clients’ trust.