L.A. Times Hacked by Monero Cryptominers?

Rumors are swirling that the Los Angeles Times was part of a large group of websites affected by the unauthorized addition of a cryptocurrency-mining script.

A few days ago, it was reported that thousands of websites around the world – from the United Kingdom’s National Health Service to the City University of New York (cuny.edu) and the United States’ court information portal (uscourts.gov) – had been secretly mining cryptocurrency using the processing power of computers belonging to readers who visited the sites via web browsers.

The affected sites all were found to be using a plugin called Browsealoud, made by the British company Texthelp, which is used for reading out webpages for blind or partially sighted people.

Hackers are being blamed for altering Browsealoud’s source code in order to quietly inject a Monero miner into every webpage offering Browsealoud. Monero is a privacy-focused cryptocurrency that’s distinct from Bitcoin. Many coiners prefer to mine Monero (symbol: XMR) because, unlike Bitcoin, which has moved on to only being worth mining on expensive specialized equipment, XMR can still be mined on a regular computer.

Web Browser Mining

Upon being informed of the situation, the JavaScript mining codemaker Coinhive immediately terminated the account of the key associated with the BrowseAloud incident.

We ourselves confirmed this morning that the Los Angeles Times was in fact serving javascript code very similar to Coinhive. Visiting the online newspaper’s pages increased our desktop computers’ CPU usage by a considerable amount, though not enough to affect the user experience.

To reiterate, hackers did not need to have directly accessed the LAT website in order to serve up the script. It is likely that the website was using a third-party plugin that was compromised and used by bad actors to inject the code used for Monero mining.

Inquiries to Los Angeles Times staff have yet to be returned. This page will be updated when new information becomes available.

UPDATE: As of Wednesday evening, the script seems to have been removed.

The Register is now reporting that The Times‘ IT staffers had somehow created a huge security gap by leaving at least one of their Amazon Web Services (AWS) S3 cloud storage buckets wide open for anyone on the internet to freely change, update, and tamper.