The Wikimedia Foundation, which operates Wikipedia and other major wikis, is rolling out mandatory two-factor authentication (2FA) for high-privilege users starting May 20, in response to a massive password breach affecting over 35,000 accounts. The decision follows a March security alert revealing that 35,893 accounts across Wikimedia platforms had been compromised, most likely due to credential stuffing—where hackers reuse login credentials from other breached sites.
While most affected accounts were inactive or low-use, with only 2% having more than 100 edits, the breach raised red flags. One compromised account had made nearly 1,000 edits in the past year. Though the Foundation stated it found no evidence of significant malicious editing, the event prompted an immediate crackdown on security protocols.
The initial phase of mandatory 2FA will apply to users with elevated powers, such as checkusers and oversighters—users who can view private account data or permanently delete revisions. Interface administrators, who manage site-wide scripts, are already subject to mandatory 2FA. Expansion to bureaucrats, who can promote or demote admins, is also under consideration.
The Foundation acknowledged the technical and logistical hurdles of implementing stricter security but emphasized the necessity. Plans are in motion to improve 2FA access and usability by supporting multiple authenticators and phishing-resistant options like security keys and passkeys.
According to the Foundation, the breach was discovered in collaboration with volunteer moderators. All compromised accounts were locked, and users were notified when possible, although Wikipedia does not require email addresses for account registration. One editor, “CoffeeCrumbs,” reported being compromised despite a prior warning from Google about their password being found in a breach. Their account, with over 1,000 edits, was quickly locked and restored.
This isn’t the first time Wikipedia has faced account security issues. A 2018 breach led to significant vandalism, including obscene edits to the article on Donald Trump. In response, both the Arbitration Committee and the Foundation implemented stricter password policies for administrators.
The new wave of 2FA enforcement signals a renewed effort to prevent similar incidents and reinforce trust in the platform’s integrity.
