Wikipedia Owners Bungles Rollout of Increased Account Security Measures
The Wikimedia Foundation, the nonprofit organization behind the world's most popular online encyclopedia, Wikipedia, has made a embarrassing mistake in its efforts to improve account security. In May, the Foundation introduced new security requirements for users with certain advanced privileges, but failed to inform some impacted users about the changes, leading to a delay in the rollout of these measures.
In response to a recent hacking incident that compromised over 35,000 accounts, the Foundation announced on May 6 that it would increase security by requiring two-factor authentication for all users with "checkuser" and "oversight" privileges. These privileges allow users to view private account data or material deleted from the site, making them some of the most powerful and sensitive roles on Wikipedia.
Expansion to "bureaucrats," who can grant admin privileges to users, was also being considered. However, for now, only "interface administrators," who can edit site-wide JavaScript pages, were subject to these new security requirements. The changes took effect on May 20, after which any users with advanced privileges would be unable to access them without enabling two-factor authentication.
This authentication method requires users to link their account to a mobile device that will be sent a code in addition to their password. It's a standard security measure used by many online platforms, but it appears that the Foundation had not yet implemented this requirement when it announced the new changes.
One day after the requirements were imposed, a member of Wikipedia's Arbitration Committee reported that some users who were subject to these requirements did not seem to have received the necessary notifications. This raised concerns about whether the Foundation had properly informed all affected users before implementing the changes.
A Foundation staffer responded by saying that a function denying access had been reverted, and that the staff had "rechecked what went wrong in the planned communication". However, it was later revealed that some users had not received direct emails with information about the changes as intended. The staffer also stated that the deadline for enabling two-factor authentication would be extended to June 3, 2025.
The incident is a stark reminder of the importance of effective communication and planning in implementing security measures. In recent years, Wikipedia has faced several hacking incidents, including a series of attacks from 2018 to 2019 that compromised six admin accounts, including some used for vandalism of sensitive pages.
A History of Security Breaches
The hacking incidents that led to the introduction of these new security measures are just the latest in a long history of breaches on Wikipedia. In 2018 and 2019, several admin accounts were compromised, including some used for malicious activities such as vandalism of pages about President Donald Trump and popular YouTuber PewDiePie.
The Foundation has since tightened its password requirements and implemented stricter practices regarding breaches of those requirements. However, the recent incident highlights that there is still work to be done in terms of improving security on the site.
A Lesson in Communication
The incident also serves as a reminder of the importance of effective communication in implementing security measures. The Foundation's failure to inform all affected users about the changes led to confusion and frustration among some users, highlighting the need for clear and transparent communication.
The Foundation has since acknowledged its mistake and is taking steps to rectify it. However, the incident serves as a lesson in the importance of planning and execution when implementing security measures on a large scale.