Talk:Wikimedia Foundation/March 2025 discovery of account compromises
Add topic | This is a complex incident WMF staff are actively monitoring this page and will respond to questions as soon as possible. |
Number of accounts
[edit]Are you sure about number of locked accounts? According to this query it is 37,669.--Nemoralis (talk) 22:48, 27 March 2025 (UTC)
- Nevermind, phab:T389728 Nemoralis (talk) 22:54, 27 March 2025 (UTC)
Two Factor Authentication
[edit]Thanks for sharing this information. This incident was well managed. But I believe it's a warning. The development of 2FA (stalled for the moment) should continue. All users should be able to activate 2FA, and in addition to TOTP, tokens like FIDO U2F should also be available. MBq (talk) 05:34, 28 March 2025 (UTC)
Strong support to active 2FA for all users. -- Mr. Ibrahem (talk) 06:27, 28 March 2025 (UTC)
- No, because Wikimedia is too large to handle users that don't know how to work with 2FA. At the very least I don't see this as tenable unless SMS authentication (even if it's not secure) is introduced. Leaderboard (talk) 07:07, 28 March 2025 (UTC)
- Understood, but one of the foundations’s goals is to empower people, which imho includes access to state-of-the-art security when using our site. Probably some A/B testing in smaller communities would help to anticipate the problems you’re adressing? MBq (talk) 15:09, 28 March 2025 (UTC)
- First, they need to include the additional authentication options. Then we can look into expanding 2FA access. Leaderboard (talk) 07:40, 2 April 2025 (UTC)
- Understood, but one of the foundations’s goals is to empower people, which imho includes access to state-of-the-art security when using our site. Probably some A/B testing in smaller communities would help to anticipate the problems you’re adressing? MBq (talk) 15:09, 28 March 2025 (UTC)
- No, because Wikimedia is too large to handle users that don't know how to work with 2FA. At the very least I don't see this as tenable unless SMS authentication (even if it's not secure) is introduced. Leaderboard (talk) 07:07, 28 March 2025 (UTC)
- Any user can already activate 2FA. The process for this is pretty much just asking the stewards at SRGP and attest that you actually read the help page. EggRoll97 (talk) 02:47, 30 March 2025 (UTC)
- User can manually request to activate 2FA by reading Help:Two-factor_authentication and visiting SRGP, an expansion to more users should be doable at this time.–Vulcan❯❯❯Sphere! 06:37, 10 April 2025 (UTC)
- Yeah I don't support making it available by default to everyone – the current system works fine and all it'll do is encourage people to enable something they don't know the full consequences of. //shb (t • c) 06:54, 10 April 2025 (UTC)
- Probably not until there is more awareness about 2FA in general, enabling it is one thing but the most difficult would be the recovery process (in case of forgotten or lost recovery/scratch codes).–Vulcan❯❯❯Sphere! 07:23, 10 April 2025 (UTC)
- Yeah I don't support making it available by default to everyone – the current system works fine and all it'll do is encourage people to enable something they don't know the full consequences of. //shb (t • c) 06:54, 10 April 2025 (UTC)
How to get unlocked
[edit]One majour question is that how to get unlocked for an affected person. One of the active admin (User:Vijayanrajapuram) in Malayalam Wikipedia got locked. He is saying that he never used his wikimedia password anywhere else. And we cannot loose him in Malayalam proejct. So the question is what are the procedure to get unlocked. Ranjithsiji (talk) 17:33, 1 April 2025 (UTC)
- Many users were contacted with unlock directions already, if they were not, they should send an email to ca
wikimedia
org. Ensure they include their username. — xaosflux Talk 17:54, 1 April 2025 (UTC)
