Hackers were able to infiltrate the automaker's Kubernetes administration console because it was not password protected, cybersecurity firm RedLock said Tuesday. Kubernetes is a Google-designed system aimed at optimizing cloud applications.
This left access credentials for Tesla's Amazon Web Services (AWS) account exposed, and hackers deployed cryptocurrency mining software called Stratum to mine cryptocurrency using the cloud's computing power.
Cryptocurrency mining is a process whereby so-called miners solve complex mathematical problems to validate a transaction and add it to the underlying network.
RedLock did not specify which cryptocurrency was mined in the cyber breach.
Other major firms, including British insurer Aviva and Dutch SIM-maker Gemalto, were affected by similar problems, RedLock said. But the incident affecting Tesla's cloud system was more sophisticated, and used a number of different strategies to hide the hackers from being detected.
RedLock said that it notified Tesla of the cyber exposure and that it was swiftly rectified.
Tesla said that it did not see any initial impact on customer data protection or the safety and security of its vehicles.
"We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it," a spokesperson for Tesla said in an emailed statement.
"The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way."
RedLock CTO Gaurav Kumar said businesses should monitor suspicious cyber activities to avoid being compromised.
"The message from this research is loud and clear — the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities," Gaurav Kumar, CTO of RedLock, said in a statement Tuesday.
"In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence."
Kumar added: "However, security is a shared responsibility. Organizations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough."
What is 'cryptojacking'?
This incident marks another case of what is known in the cryptocurrency world as "cryptojacking."
Cryptojacking is a process whereby hackers deploy software that exploits a computer's CPU (central processing unit) to mine cryptocurrency.
Earlier this month, it was revealed that hackers had deployed an altered version of the popular plugin Browsealoud to a number of government websites in the U.K., the U.S. and Australia.
This version of Browsealoud infected the government websites with Coinhive code, which is used to generate units of privacy-focused cryptocurrency monero.
U.S. online news outlet Salon is even asking visitors to its site who use ad blocking plugins if it can use their computing power to mine moneroinstead.