Basic Best Practices
If a machine is mining Monero without the intent of the user, then the computer has been compromised. Monero itself did not compromise the machine; it was compromised through some other way, and this Monero miner is simply malware installed on it. It could have been compromised by someone with physical access to the machine or someone on the other side of the world.
To prevent people from mining on a machine, the machine needs to be secure. If, for instance, a machine has a weak login password, it may be trivial for attackers to compromise the machine. In addition to mining Monero, the attackers could use this machine for a variety of other purposes, including sending spam email and running surveillance. It is common for malware to search other computers on the network to infect. Monero has no control over the security of these machines.
Investigative Possibilities
When the malware is found, there is limited information of use.
The mining pool and address.
It’s likely that the malware is mining to a specific pool, such as supportxmr.com. There are many different mining pools. You can often visit the pool site and input the address the computer is mining for. It may tell you limited information, such as the amount mined and the time that the last share was found. It’s possible that this malware is running on many machines. You can contact the pool and ask them to suspend payment to this certain address. Many pools blacklist addresses used for botnet mining. These pools are in no way affiliated with Monero. It’s likely that this pool operator has no idea who is behind the address. If you need help getting in touch with pool operators, let us know.
Your internal logging systems.
You can use your own internal logging to attempt to determine the origin of the threat, whether internal or external. The success of these endeavors will vary depending on the quality of your own internal logging. If you are on a home network, it's unlikely that you have sufficient logging. If you are a business, you may have tools to track down the date and time the malware was installed. Speak with your network administrator.
What You Can Do If a Machine Has Been Compromised
There are two basic options for proceeding. We highly recommend the second option if you plan on using this machine for sensitive data, including storing confidential/personal information or accessing banking services. The attacker may have installed other malware in addition to a Monero miner, including (but not limited to) a keylogger.
1. Attempt to remove the malware.
Check your system processes and see what is using your CPU. Remove any malicious files. You can aid this process by using a tool such as MalwareBytes or SpyBot. Most recent antivirus software removes mining programs.
2. Completely re-install the operating system.
This will remove all the files, but it will do a much better job at removing malware. Here are guides for Windows 10, MacOS Sierra, and Ubuntu.