The hacker was likely able to access Coinhive’s Cloudflare account due to the account’s password being leaked during the Kickstarter data breach that occurred in 2014. While the passwords that were leaked during the Kickstarter data breach were encrypted, an attacker could decrypt the passwords if they were weak passwords. This means it is likely that Coinhive was using weak passwords for multiple accounts.
According to a blog post on Coinhive’s website, no user account information was breached and Coinhive’s web servers and database servers were not accessed during the hack. “The root cause for this incident was an insecure password for the Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014. We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account. We’re deeply sorry about this severe oversight,” Coinhive stated on a post made on the site’s blog. Coinhive has pledged to reimburse sites for the theft. Among Coinhive’s plans to reimburse sites is a plan to credit all users with an additional half day of their average daily hashrate.