Type
Incident
Actors
Unknown
Pub. date
February 22, 2018
Initial access
Cloud native misconfig
Impact
Resource hijacking
Targeted technologies
S3 Bucket
References
https://www.theregister.com/2018/02/22/la_times_amazon_aws_s3/
Status
Finalized
Last edited
Nov 6, 2024 2:26 PM
The Los Angeles Times website was covertly mining cryptocurrency on visitors' devices after hackers injected CoinHive's Monero-mining code. This happened due to an unprotected Amazon S3 storage bucket, which allowed unrestricted public access, letting hackers modify site files. They inserted the mining script on the newspaper's interactive homicide map, causing visitors to unknowingly mine cryptocurrency for the attackers.
Others discovered this vulnerability, leaving a warning note titled "BugDisclosure.txt" urging the LA Times to secure the bucket. The open permissions allowed hackers to add potentially more harmful code, like password-stealing malware, though only the mining script was found.