Wikipedia administrators were locked out of their accounts after the Wikimedia Foundation botched the rollout of mandatory two-factor authentication, implemented in response to a massive security breach that compromised over 35,000 user accounts.
Key Takeaways
- Over 35,000 Wikipedia accounts were compromised in a recent security breach, prompting the Wikimedia Foundation to implement two-factor authentication for users with advanced privileges.
- The Foundation bungled the rollout by failing to notify all affected users before enforcing the new security measures, leaving some administrators temporarily locked out of their accounts.
- Implementation has been postponed until June 3, 2025, to ensure all users receive proper notification with a week-long grace period.
- This security update follows previous hacking incidents from 2018-2019 that resulted in compromised administrator accounts and demonstrated the need for enhanced security measures.
- The Foundation is simultaneously fighting the UK’s Online Safety Act, which could impose additional burdensome compliance obligations on Wikipedia’s volunteer model.
Botched Security Rollout Causes User Lockouts
The Wikimedia Foundation, which operates the world’s largest online encyclopedia, has temporarily rolled back new security requirements after a disastrous implementation left numerous Wikipedia administrators locked out of their accounts. On May 20, the Foundation activated mandatory two-factor authentication (2FA) for users with advanced privileges, including those with “checkuser” and “oversight” capabilities, but failed to properly notify all affected users beforehand. The security upgrade came in response to a March 2025 incident in which 35,893 Wikipedia accounts were compromised due to password breaches.
“An internal miscommunication meant we did not send the direct emails to affected users prior to May 20 as we intended. These notices will go out shortly,” According to a Foundation staffer.
After multiple complaints from Wikipedia’s Arbitration Committee members about users being unexpectedly locked out, the Foundation was forced to reverse course. They acknowledged their communication failure and announced a revised plan to reimpose the security requirements on June 3, 2025, but only after confirming that all affected users have been properly notified and given a week-long grace period to implement the necessary security changes to their accounts.
Recurring Security Vulnerabilities Prompt Action
This isn’t the first time Wikipedia has faced significant security challenges. Between 2018 and 2019, the platform experienced multiple hacking incidents that resulted in compromised administrator accounts. These previous breaches led to stricter password requirements and more rigorous security practices, but the recent compromise of over 35,000 accounts demonstrates that more comprehensive measures are necessary. Most of the recently compromised accounts had minimal editing activity, and the Foundation reported no significant malicious actions were taken using the breached credentials.
The new security framework extends beyond the current requirements for “interface administrators” and will eventually include users with “bureaucrat” privileges—those who can assign administrative rights to other users. This phased implementation aims to secure the most sensitive access levels first, protecting the integrity of Wikipedia’s content and user data. Despite the initial rollout troubles, the Foundation remains committed to enhancing security across the platform while balancing user accessibility.
Legal Battles Over UK’s Online Safety Act
While dealing with internal security challenges, the Wikimedia Foundation is simultaneously fighting external regulatory threats. The organization has initiated legal action against the United Kingdom’s Online Safety Act (OSA), which could classify Wikipedia as a “Category 1 service” subject to stringent compliance requirements. These regulations, designed for high-risk social media platforms, would impose burdensome verification and content moderation obligations on Wikipedia’s volunteer-based model.
“As a Category 1 service, Wikipedia could face the most burdensome compliance obligations, which were designed to tackle some of the UK’s riskiest websites,” Said Franziska Putz, a legal expert analyzing the case.
The Foundation’s lead counsel, Phil Bradley-Schmieg, warned that imposing such requirements could “expose users to data breaches, stalking, vexatious lawsuits or even imprisonment by authoritarian regimes.” Companies found in breach of OSA rules face fines up to £18 million or 10% of global turnover, with potential service blockages in the UK. Wikimedia has requested an expedited legal challenge, expressing regret over having to pursue judicial review but deeming it necessary to protect its volunteer contributors’ privacy and safety.
