On May 20, the Wikimedia Foundation, which oversees Wikipedia, announced new security measures for certain high-access users following a hacking event that affected over 35,000 accounts. However, the foundation had to rescind these requirements when it realized it couldn’t adequately inform those impacted about the new security protocols, leading to a delay in their implementation.
Foundation representatives stated they wouldn’t roll out these requirements again until they confirmed that all users who were affected had been properly notified.
Back in late March, the organization disclosed that they had locked 35,893 accounts after detecting compromised passwords. Many of these accounts had fewer than 100 edits and hadn’t shown any significant malicious activity. However, a May 6 announcement emphasized the need for enhanced security through mandatory two-factor authentication for users with CheckUser and Monitoring rights. This plan also contemplated extending such measures to “bureaucrats,” who can manage control permissions for users. Notably, the existing security requirements already covered “Interface Administrators,” who edit JavaScript pages site-wide.
These security updates took effect on May 20. Users with the specified privileges could not access their accounts without first enabling two-factor authentication, which typically involves tying an account to a mobile device that receives a code in addition to the password. The day after these conditions were put in place, members of Wikipedia’s Arbitration Committee noted that they lacked prior notification of the new requirements, despite indications that they would be informed ahead of time. As a result, they faced challenges in utilizing their high-level privileges in one response.
In response, the foundation’s staff indicated a focus on assessing the failure in communication regarding the changes. They mentioned that they would only reestablish the requirements after confirming the communication efforts were successful, waiting an additional week after that.
Wikipedia has been a target for various hacking incidents, particularly between 2018 and 2019, where six administrative accounts were compromised and misused to vandalize pages, including those about President Donald Trump and YouTuber PewDiePie. Some of these accounts remain locked due to the incidents, prompting the foundation to adopt stricter password policies and practices concerning committee recruitment and violations.
