A great example of folks either re-using passwords, or simply not being aware that their credentials have been included in a previous leak/breach.<p>For an idea of a timeline, and a useful reminder to check your own personal accounts (and those dreaded shared accounts internally):<p><pre><code> - Feb 15 2014 - Kickstarter breach occurred
- Oct 08 2017 - HaveIBeenPwned import the dump, suggesting it is publicly available, or at least being shared around.
- Oct 24 2017 - Coinhive suffer their DNS breach.
</code></pre>
Services such as Troy's HaveIBeenPwned are an excellent resource, and I can whole heartedly recommend signing up for the 'Notify Me' function: <a href="https://haveibeenpwned.com" rel="nofollow">https://haveibeenpwned.com</a><p>I recently released something similar for corporate environments, allowing businesses to produce pseudo-users to insert into their user base. These 'canaries' are unique to them & come with real email addresses and phone numbers, so should they ever be contacted you can be pretty sure you've suffered a breach of some kind. We of course also check the usual suspects (Pastebin, Tor) for any similar evidence of a breach. Can see some more details here: <a href="https://breachinsider.com" rel="nofollow">https://breachinsider.com</a>
Cloudflare will not let you have individual users without the (unspecified) “Enterprise” pricing plan. Even on the Business plan, we get to copy/paste one password around the team. Great for security.<p>Every other service (especially that critical!) we use gives it away with the actual service. I really dislike this about Cloudflare.
Anyone that hosts javascript for 3rd parties is a target for this type of breach. That Coinhive miner script could easily be embedded into any other javascript file.
Can you imagine the damage done to a CDN if the attacker would supply extremely long Expire/Caching/key-pinning headers? All clients visiting the malicious server would be cache poisoned for a loooong time.
> This third party server hosted a modified version of the JavaScript file with a hardcoded site key.<p>A site key for a user on coinhive or pointed at a different website all together? If it's just a site key it should be dead-simple to close that account:<p><pre><code> <script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script>
var miner = new CoinHive.User('<site-key>', 'john-doe');
miner.start();
</script></code></pre>
We use Okta internally.<p>As much as I hated it at first, we don't choose any provider that doesn't support single sign on and multiple users.<p>You can choose a password policy that is different (stricter) than the downstream services.<p>One more good thing about it is that you have all of your services in one place and you know when you need to change password on one of them or all of them. You can do it with a nice dashboard.<p>This made managing access a much nicer experience for us and I can imagine will minimize things like that from happening.
I'd say the internet was better off for a bit, but it looks like the hack just temporarily made Coinhive's malware make money for a separate set of bad actors for a while.<p><i>edit:</i> For the downvoters, if you've noticed your CPU fans running while visiting a variety of sites lately, chances are Coinhive's the reason. Non-consensual altcoin mining as a service!
"uBlock Origin has prevented the following page from loading: coinhive.com"<p>I can't read what it's about but it looks like it's already blocked.<p>Anyone would mind to give a summary?
How is blowing out your visitor's CPU for profit, without an opt-in notification, not malware itself?<p>Thieves stealing from thieves, IMHO.<p>Edit: from the downvotes to any comment that's critical of Coinhive I see the Coinhivemind is not fond of simple ethical quandaries.