Blog Visitors of the Make-A-Wish website may have unknowingly been hacked
Robert Siciliano November 29, 2018

Visitors of the Make-A-Wish website may have unknowingly been hacked

One of the most prolific hacks this year is cryptojacking. Essentially, a hacker causes your computer to mine cryptocurrency for them after you visit an infected website. These criminals aren’t just targeting sites you’ll likely never visit; they’re now infecting any site, including the Make-A-Wish Foundation, a charity that helps uplift children with terminal or serious illnesses.

Anyone who visited the Make-A-Wish site during the time the cryptojacking malware was present unknowingly had their computer recruited to mine cryptocurrency for criminals. You could have been online donating to an awesome foundation that helps sick children, all the while your computer was helping hackers make money.

How did the hack work?

The Make-A-Wish site was partially built using a content management program called Drupal. Drupal had recently announced a vulnerability that allowed hackers to inject malicious code into the websites using its software. Though Drupal released a patch to fix the issue, many companies were lax at installing the patch, including the Make-A-Wish site.

With the charity’s site exposed, hackers inserted software onto the worldwish.org website called CoinImp. This forced any computer that visited the site to begin mining Monero, a type of cryptocurrency. Silvia Hopkins, the spokesperson for Make-A-Wish, says that they are aware this hack took place and that they have now fixed the issue. She also says that no donor’s personal information was released during the hack.

It’s not uncommon for companies to be slow at updating their sites with security updates. There are a number of reasons for this. For example, a company that has a small IT department might not have the bandwidth to make security a priority. A large company might have some logistical issues, which makes the process slower. With this in mind, it’s mindboggling to imagine how many sites are currently infected with similar cryptojacking malware.

Who was affected?

It is unknown how many people have been affected by the CoinImp infection, as no one knows how long it has been going on. But in all likelihood, given how well known the Make-A-Wish Foundation is, the total number of users recruited to mine cryptocurrency for the criminals is likely high. The one good thing is that, once the user closed the tab in their browser or went to another page, the mining stopped.

How serious could this be?

The Make-A-Wish Foundation did not lose any money during the hack, nor did any donator have their personal information compromised. If you visited the Make-A-Wish site during the infection, your computer’s CPU will likely have been under enormous strain, though there will likely be no long-term damage.

The biggest problem, perhaps, is that this case illustrates just how prevalent cryptojacking has become, and that there are no limits to how far bad guys will go to make a buck. It doesn’t matter if it’s a phone company or a charity that helps children, no business is safe from hackers if they don’t take steps to protect their sites.


Interested in protecting yourself from hackers? Download Hotspot Shield for free on your mobile and desktop device. With just a click of a button, Hotspot Shield encrypts your WiFi connection, providing a secure “tunnel” for your data to travel through that is impenetrable to hackers. Click the button below to try Hotspot Shield today. Best of all, it’s totally free.

Make a wish hack
Robert Siciliano
About Robert Siciliano

Robert Siciliano is an Identity Theft expert consultant to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him discussing internet and wireless security on Good Morning America. FInd Robert Siciliano on Google+

View all posts by Robert Siciliano
Subscribe to our newsletter

Become a Hotspot Shield insider to get the latest news, updates, and special offers delivered directly to your inbox.