Password reuse resulted in an unknown hacker taking over Coinhive's DNS server and replacing it with a JavaScript in-browserMonero cryptominer.

A Coinhive spokesperson told Bleeping Computer the incident occurred, October 23, at around 22:00 GMT, and was discovered and resolved a day later. The attacker reported logged into the company's Cloudflare account and replaced DNS records ultimately pointing Coinhive's domain to a new IP address.

"The root cause for this incident was an insecure password for our Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014," the company told the publication. "We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account."

As a result thousands of sites around the world loaded this modified Coinhive script that mined Monero for the hacker, instead of legitimate site owners, researchers said.