Wikimedia Foundation’s bungled rollout of two-factor authentication left thousands of privileged Wikipedia editors locked out of their accounts, creating chaos for the platform that claims to be the world’s most reliable source of information.
Key Takeaways
- The Wikimedia Foundation attempted to implement mandatory two-factor authentication after 35,000+ accounts were compromised, but failed to notify many affected users
- The security requirement has been temporarily rolled back until June 3, 2025, when it will be reinstated after proper notification
- Despite the massive account breach, the Foundation claims minimal malicious activity was detected from the compromised accounts
- This security failure follows a pattern of questionable management decisions, including the Foundation’s current legal battle against the UK’s Online Safety Act
Security Rollout Disaster
The Wikimedia Foundation, which oversees Wikipedia, launched a mandatory two-factor authentication system on May 20 targeting users with enhanced privileges. The initiative came in response to a serious security breach that compromised more than 35,000 user accounts. However, the rollout quickly descended into chaos when many users discovered they were suddenly locked out of their accounts without any prior warning that new security requirements were being implemented.
“An internal miscommunication meant we did not send the direct emails to affected users prior to May 20 as we intended. These notices will go out shortly,” Said a Foundation staffer.
The Foundation quickly backtracked, rolling back the security requirement after a member of Wikipedia’s Arbitration Committee reported that numerous users had been left in the dark about the changes. The Foundation admitted to the communication failure and has now extended the deadline for enabling two-factor authentication to June 3, 2025, promising to properly notify all affected users and provide a one-week grace period before reimplementing the requirement.
Compromised Accounts and Security Vulnerabilities
In March, the Foundation locked an astounding 35,893 accounts after discovering compromised passwords. While they claim most of these accounts had minimal editing history and showed no significant malicious activity, the scale of the breach raises serious questions about Wikipedia’s overall security infrastructure. This latest incident follows previous hacking events from 2018 to 2019 that resulted in compromised administrator accounts.
The Foundation’s May 6 announcement outlined increased security measures targeting users with “checkuser” and “oversight” privileges, with plans to potentially expand the requirements to “bureaucrats” who can assign administrative permissions. “Interface administrators” were already subject to these enhanced security protocols prior to the latest rollout attempt, suggesting a piecemeal approach to implementing critical security improvements.
Broader Regulatory Challenges
The security debacle comes as the Wikimedia Foundation faces another major challenge – a legal battle against the United Kingdom’s Online Safety Act (OSA). The Foundation has initiated court proceedings against the act, which could classify Wikipedia as a “Category 1 service” subject to stringent compliance obligations originally designed for high-risk social media platforms.
“As a Category 1 service, Wikipedia could face the most burdensome compliance obligations, which were designed to tackle some of the UK’s riskiest websites,” Said Franziska Putz, explaining the Foundation’s position.
The OSA, passed in 2023, aims to protect users from harmful online content but could force Wikipedia to implement identity verification tools and user blocking mechanisms that the Foundation argues would compromise its volunteer-based model. Companies found in breach of OSA rules face fines up to £18 million or 10% of global turnover, and potentially having their services blocked entirely in the UK.
The Foundation’s lead counsel, Said Phil Bradley-Schmieg, warns that enforcing Category 1 duties could “expose users to data breaches, stalking, vexatious lawsuits or even imprisonment by authoritarian regimes.”
