Wikipedia Owners Bungles Rollout of Increased Account Security Measures

The Wikimedia Foundation, the nonprofit that owns Wikipedia, introduced new account security requirements for users with certain advanced privileges on May 20 in response to a recent hacking incident that compromised over 35,000 accounts. However, the requirement was undone and its rollout delayed after the Foundation learned that it had failed to inform some impacted users of the new security steps.

Foundation staff stated they would not reimpose the requirements until a week after they confirm all affected users have been properly notified.

Back in late March, the Foundation announced they had locked 35,893 accounts after finding the passwords were compromised. While most were said to have less than 100 edits and showed no significant malicious activity, the Foundation announced on May 6 that it would increase security by requiring two-factor authentication for all users with “checkuser” and “oversight” privileges, which respectively allow for viewing private account data or material deleted so that even users with regular admin privileges cannot view it. Expansion to “bureaucrats” who can grant admin privileges to users was also being considered. “Interface administrators” who can edit site-wide javascript pages were already subject to the requirements.

The security change was put into effect May 20, after which any users of those privileges would be unable to access them without enabling two-factor authentication. Such authentication would mean, for instance, linking the account to a mobile device that would be sent a code in addition to a password. One day after the requirements were imposed, a member of Wikipedia’s Arbitration Committee, considered the site’s Supreme Court, reported that some subject to the requirements did not seem to have been notified despite the Foundation’s announcement saying this would occur beforehand. They were thus unable to use their advanced privileges with one responding to confirm not seeing a notification.

A Foundation staffer responded by noting the function denying access had been reverted. The staff stated that this was done “whilst we check what went wrong in the planned communication” adding that “Some of the communication went out, but apparently not all.” It was further stated that once they confirmed communications about the changes were received, they would wait a week before restoring the requirements.

Wikipedia was previously subject to a series of hacking incidents from 2018 to 2019, leading to six admin accounts being compromised with some used for vandalism of pages about President Donald Trump and popular YouTuber PewDiePie. Several of the admin accounts compromised at the time remain locked. Those incidents led to tightening password requirements and the Committee adopting stricter practices regarding breaches of those requirements.

T. D. Adler edited Wikipedia as The Devil’s Advocate. He was banned after privately reporting conflict of interest editing by one of the site’s administrators. Due to previous witch-hunts led by mainstream Wikipedians against their critics, Adler writes under an alias.