Public Cloud Security Breaches Documenting their mistakes so you don't make them.

LA Times Cryptomining

Incident Details

Victimized Company:The Los Angeles Times
Incident Dates:2018-02-09 to 2018-02-22
Disclosure Date:2018-02-21
Current Status:Threat Actor Unknown

In February 2018, The Los Angeles Times was unwittingly part of a crypto jacking scheme. A publicly writable S3 Bucket on their website was discovered and configured to serve a Coinhive Monero Miner Javascript code. The injected code used the CPU power of any browser that visited the site.


Details of the Incident

In February 2018, Security Researcher Troy Mursch discovered a crypto-jacking script running on The Los Angeles Times website. The script came from the website known as Coinhive, a now shutdown crypto-mining business, that enabled users to inject designed Javascript code that would mine Monero by using the CPU processing from the site’s visitors’ devices.

The discovered vulnerability was due to a misconfiguration in The Los Angeles Times AWS S3 bucket that allowed write access to anyone. An unauthorized 3rd party took advantage of this opening and modified a Javascript file inside the bucket, adding the Coinhive script to begin mining. According to Mursch, The code was located on The Los Angeles Times Homicide Report Web page, a page with frequent visitors using the website scanning tool urlscan.io1.

Mursch states that “the miner was throttled to reduce the impact on visitors’ CPUs and would be harder to detect” compared to the traditional full 100% CPU throttle that most Crypto Jackers use. Mursch said the code might have at least been there since February 9th. Mursch emailed The Los Angeles Times, advising them to remove the malicious javascript.

While researching this, Mursch discovered2 another file, BugDisclosure.txt, which contained a warning to the site operators, urging them to secure it.


Date Event
February 9th, 2018 First known evidence the LA Times’ S3 Bucket hosted the Coinhive miner.
February 21st, 2018 Security Researcher Troy Mursch identifies that unauthorized users uploaded a cryptocurrency miner to the LA Times website.
February 22nd, 2018 The Los Angeles Times removes the Coinhive code from the Homicide Report page.

Attribution / Perpetrator

The threat group has never been identified or disclosed.

Summary of Coverage

Cloud Security lessons learned

  • The LA Times did not have a cloud security posture management (CSPM) tool in place or had not prioritized the remediation of findings.
  • The LA Times did not have any file integrity checking in place to ensure that the code served customers was verified and from a known source repository