The Foundation that owns Wikipedia is preparing to require two-factor authentication for users with significant privileges starting in late May. It comes after the Foundation announced in March that they had locked 35,893 accounts across all Foundation-owned sites upon determining the passwords had been compromised. According to the announcement, the Foundation suspected this was due to account names and passwords being used on another compromised site.
Most accounts were said to be low-activity with only 2 percent having made over 100 edits with no evidence of the accounts being significantly misused. One Wikipedia account compromised a week prior to the announcement made nearly 1,000 edits in the preceding year. Previous hacking incidents had already led to increased password requirements for those with admin privileges.
Foundation staff published the intended requirements on May 6 in order to invite community input before it is implemented on May 20. Citing the recent breach, the announcement stated they had “begun technically enforcing mandatory two-factor authentication for wiki interface administrators” who can edit sitewide javascript pages. The announcement stated that the new requirements for two-factor authentication would be limited to checkusers, who can access private account information, and oversighters who can delete content so that even regular admins cannot see it. Regular administrators have the authority to suspend user accounts and delete content.
Expansion to bureaucrats, users who have the privileges to appoint and remove administrators, was also contemplated. They acknowledged difficulties in requiring authentication and “intend to expand the accessibility and security of our 2FA capabilities, such as allowing users to set up multiple authenticators, and to more fully support modern phishing-resistant methods like security keys and passkeys” to make it easier for those subjected to the requirements. Currently, they state two-factor authentication is only available to users with privileged access, but will investigate enabling the option for all users. Two-factor authentication means logging in to an account requires providing additional verification beyond a password, such as a code sent to a mobile device.
Announcement of the recent hacking incidents was published on March 27. In the announcement, they stated the Foundation “in collaboration with volunteer functionaries, recently identified a pattern of unusual log-ins to registered accounts.” The tens of thousands of accounts identified as compromised were then locked and account-holders notified by e-mail where possible. Wikipedia does not require e-mail for account registration. Staff believed the compromise was due to “credential stuffing” where hackers “find stolen usernames and passwords and attempt to use those same combinations across a variety of other websites and accounts.” Details of the accounts, such as “email addresses, time zones, and other profile settings” were noted to be accessible.
Staff emphasized that they did not believe their site’s systems were compromised or that there was a targeted attack, further adding that “mostly inactive or low-activity accounts” were compromised with just 2 percent having over 100 edits. An update the next day stated they had “not seen evidence of significant malicious editing activity from any compromised account” to any Foundation-owned sites, but were still investigating. No further updates on the breach itself have yet been provided.
One account compromised a week prior to the announcement was “CoffeeCrumbs” on Wikipedia. The editor mentioned contacting the address for compromised accounts, but raised it publicly to quickly have the account locked. Coffee Crumbs also mentioned having received warning of the account password appearing somewhere else before the compromise occurred. Admin “Spicy” who possesses checkuser privileges on Wikipedia confirmed the compromise and remarked that this was “Along with some others” adding it would “be a long night in the CU mines.” Unlike most accounts mentioned in the Foundation announcement, CoffeeCrumbs had over a thousand edits when the account was compromised.
In a thread on Wikipedia criticism forum Wikipediocracy, where the editor used the same username and password, the editor posted that the notification received from Google about the password appearing on another site did not clearly identify the source, but it “was found somewhere eight months ago.” CoffeeCrumbs noted the Foundation Trust and Safety Team was able to restore access to the account, but did not know if the compromise was related to the wider breach.
Previous hacking incidents have caused significant problems for Wikipedia. Back in 2018, multiple accounts were compromised, including admin accounts, and used to vandalize Wikipedia articles. This included edits replacing the top image of Donald Trump on his article with a penis. Six admin accounts that were compromised at that time and months later, including one that vandalized articles related to YouTuber PewDiePie’s feud with Indian music company T-Series, were locked and temporarily stripped of their privileges by the Arbitration Committee, often compared to a Supreme Court, with some never unlocked. The Committee eventually adopted stricter practices for admins who violate the site’s password policy and the Wikimedia Foundation also adopted tighter password requirements.
T. D. Adler edited Wikipedia as The Devil’s Advocate. He was banned after privately reporting conflict of interest editing by one of the site’s administrators. Due to previous witch-hunts led by mainstream Wikipedians against their critics, Adler writes under an alias.
