The organization that oversees Wikipedia is implementing a new requirement for two-factor authentication starting in late May for users with significant privileges. This decision follows a March announcement where it was revealed that over 35,000 accounts were locked after discovering compromised passwords. It appears that the breaches were linked to users reusing account credentials from other affected sites.
While most compromised accounts were inactive—only about 2% had made significant edits—there was a notable instance of a Wikipedia account being hacked just a week prior to the announcement. Previous hacking incidents prompted heightened password security measures for administrators.
The foundation’s staff has outlined plans to gather community feedback on this new requirement before it officially goes into effect. They indicated it’s a response to the recent security breach and mentioned that forced two-factor authentication will be applied to Wiki interface administrators. These users can modify site-wide JavaScript settings. Initially, the two-factor requirements will mainly target CheckUsers, who access private account information. Regular administrators have authority to suspend accounts or delete content.
There’s also consideration for extending these requirements to bureaucrats, the users who appoint and dismiss administrators. The foundation acknowledged the challenge in implementing authentication, aiming to enhance the accessibility and effectiveness of two-factor options like supporting multiple authenticators. Although currently, only users with higher privileges have access to two-factor authentication, plans are in place to potentially allow it for everyone. This means logging in will require an additional verification step beyond just a password, like a code sent to a mobile device.
In the wake of the recent hacking incident reported in late March, the foundation worked with volunteer experts to recognize unusual login activities connected to registered accounts. Tens of thousands flagged for compromise were locked, and notifications were sent out when possible, keeping in mind that email is not required for registering on Wikipedia. Staff believe the breaches likely stemmed from credential stuffing—using stolen usernames and passwords across different sites—allowing access to profile details like email, time zone, and other settings.
Staff reassured that they haven’t found evidence of systemic vulnerabilities in the site’s security, noting that most compromised accounts were either inactive or minimally used, with only a small number having made significant edits. However, investigations into malicious activities tied to the breach are ongoing, with no further updates provided at this time.
A noteworthy account hack occurred just days before the announcement, involving an editor known as “coffeecrumbs.” This editor swiftly contacted the relevant parties to secure their account, and had received prior warnings regarding their password’s exposure. An administrator confirmed the compromise, indicating it could be a long process to resolve. Unlike many other affected accounts mentioned by the foundation, coffeecrumbs had made over a thousand edits before the breach.
Discussions on forums like Wikipediocracy revealed that users with the same username and password received alerts from Google about their credentials being found on other sites, although the exact source remained unclear. Although the Trust and Safety team managed to restore access for the affected users, there’s uncertainty about whether this compromise is part of a larger security breach.
Past incidents, such as the significant hacking in 2018, resulted in the compromise of several accounts, including administrative ones, leading to vandalism on Wikipedia. There were cases where edits replaced prominent images with inappropriate content, causing serious disruptions. Due to this, various accounts had their privileges temporarily revoked. The committee subsequently revised requirements for administrators and reinforced stringent password policies to mitigate risks of future breaches.
