According to a Coinhive spokesperson, the incident took place yesterday, October 23, at around 22:00 GMT, and was discovered and resolved a day later.
Coinhive says the hacker logged into the company's Cloudflare account and replaced DNS records, pointing Coinhive's domain to a new IP address.
This new server pushed a custom version of the coinhive.min.js file that contained a hardcoded site key.
Thousands of sites around the world loaded this modified Coinhive script that mined Monero for the hacker, instead of legitimate site owners. A Coinhive spokesperson told Bleeping Computer the hacker had control over its domain name for about six hours.
"The root cause for this incident was an insecure password for our Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014," the company said. "We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account."
The company also said it's looking into ways of reimbursing users who lost revenue for last night's traffic.
"Our current plan is to credit all sites with an additional 12 hours of their the daily average hashrate," Coinhive said.
While the service advertises itself as a legitimate business and possible alternative to online ads, the service has become a favorite among malware devs.
Various Coinhive clones have popped up across the Internet, and even Google is currently exploring ways to block in-browser cryptocurrency miners after the repeated abuse. Most users view Coinhive and similar technologies as malware because most sites and browser extensions don't ask for permission before launching the mining behavior.