
Wikimedia Foundation’s botched security upgrade after 35,000 account breaches leaves Wikipedia administrators locked out of their own accounts, revealing major communication failures at the internet’s most-referenced information site.
Key Takeaways
- Over 35,000 Wikipedia accounts were recently compromised, prompting the Wikimedia Foundation to hastily implement two-factor authentication for privileged users
- The Foundation’s poor communication left many administrators unaware of the new security requirements, resulting in unexpected account lockouts
- After realizing their mistake, the Foundation rolled back the security measure and rescheduled implementation for June 3rd, 2025
- This security lapse follows previous serious breaches from 2018-2019, raising questions about Wikimedia’s ability to protect user data
- The incident occurs while Wikimedia is already battling UK regulators over the Online Safety Act’s potential impact on Wikipedia operations
Security Crisis Prompts Hasty Action
The Wikimedia Foundation, steward of the world’s largest online encyclopedia, faced a significant security crisis after discovering over 35,000 user accounts had been compromised due to password breaches. While most compromised accounts had minimal editing history and showed no evidence of significant malicious activity, the scale of the breach prompted immediate action. On May 6th, the Foundation announced enhanced security measures targeting users with advanced privileges, particularly those with “checkuser” and “oversight” capabilities – positions that grant access to sensitive user information and the ability to suppress content from public view.
“An internal miscommunication meant we did not send the direct emails to affected users prior to May 20 as we intended. These notices will go out shortly,” Said a Foundation staffer.
The security update, implemented on May 20th, required two-factor authentication (2FA) for users with advanced privileges. The rollout immediately backfired when numerous administrators discovered they were locked out of their accounts without prior warning. Reports from Wikipedia’s Arbitration Committee confirmed that while some users had received notification of the pending security changes, many others had been left completely in the dark, creating widespread confusion and disruption across the platform’s administrative ranks.
Foundation’s Communication Breakdown
The Foundation’s handling of the security update exposed significant internal communication failures. After administrators began reporting account lockouts, a Foundation representative acknowledged the breakdown, stating they needed time “whilst we check what went wrong in the planned communication.” The representative further admitted, “Some of the communication went out, but apparently not all,” revealing a concerning level of disorganization within an organization responsible for safeguarding one of the internet’s most utilized information resources.
Following the botched rollout, the Foundation quickly suspended the 2FA requirement and announced a revised timeline. The new plan extends the deadline for enabling two-factor authentication to June 3, 2025, with assurances that proper notification will be sent to all affected users. This scramble to correct course underscores the tension between implementing necessary security measures and maintaining functional operations for Wikipedia’s volunteer administrator corps, who are essential to the site’s content moderation and management.
History of Security Vulnerabilities
This isn’t the first time Wikimedia has faced security challenges. From 2018 to 2019, the platform experienced significant hacking incidents that resulted in compromised administrator accounts. Those breaches led to stricter password requirements and heightened security practices. The recent incident involving 35,893 locked accounts due to compromised passwords suggests that despite previous measures, Wikipedia remains vulnerable to security threats that could potentially compromise the integrity of its content and user data.
“Some of the communication went out, but apparently not all,” Stated the Foundation staffer, highlighting the disorganization behind the security implementation.
The Foundation’s security plans extend beyond the current implementation. There are discussions about expanding two-factor authentication requirements to “bureaucrats,” users with the ability to grant administrative privileges to others. This proposed expansion reflects growing recognition that credential security is critical to maintaining Wikipedia’s reliability. However, the recent fumbled rollout raises serious questions about the Foundation’s ability to effectively implement such changes without disrupting the platform’s operations.
Regulatory Challenges Compound Security Concerns
The security crisis comes at a particularly challenging time for the Wikimedia Foundation, which is currently engaged in a legal battle against the UK’s Online Safety Act (OSA). The legislation, passed in 2023, could classify Wikipedia as a “Category 1 service,” subjecting it to stringent compliance obligations designed for high-risk social media platforms. These regulations would require Wikipedia to implement user identity verification tools and create mechanisms for blocking users – changes that could fundamentally alter how the platform operates.
“We regret that circumstances have forced us to seek judicial review of the OSA’s Categorisation Regulations,” Said Phil Bradley-Schmieg, Wikimedia’s lead counsel.
Wikimedia argues that Wikipedia’s content moderation approach, based on volunteer editors and community governance, doesn’t pose the same risks as commercial social media platforms. Their legal challenge contends that imposing Category 1 duties could compromise volunteer privacy and safety, potentially exposing users to “data breaches, stalking, vexatious lawsuits or even imprisonment by authoritarian regimes.” With penalties for non-compliance reaching up to £18 million or 10% of global turnover, the stakes are high for an organization already struggling with basic security implementation.