Jump to content

Wikimedia Foundation/March 2025 discovery of account compromises

From Meta, a Wikimedia project coordination wiki

The Wikimedia Foundation, in collaboration with volunteer functionaries, recently identified a pattern of unusual log-ins to registered accounts. After investigation, functionaries and WMF staff globally locked 35,893 accounts, which logs these users out and prevents them from logging in. If your account was impacted and had an email address associated with it, you should have received an email from privacy@wikimedia.org with recommended next steps.

Based on everything our security and engineering teams have found, we believe this unauthorized activity is most likely the result of user passwords becoming compromised through users reusing their password on a compromised website, or logging into Wikimedia projects from a compromised device. This enables "credential stuffing," an unfortunately common attack where bad actors find stolen usernames and passwords and attempt to use those same combinations on other websites where the same username or email is used for an account. Account information from the affected accounts (such as associated email addresses, time zones, and other profile settings) were accessible to the attacker prior to the account being locked.

We don’t currently have any reason to believe Wikimedia’s systems were the source of the compromise, nor do we have any evidence that any particular user or group of users, or any specific community were targeted. These were mostly inactive or low-activity accounts – only around 2% of the affected user accounts had ever made 100 or more edits in their lifetime. We are still investigating, but we have not seen evidence of significant malicious editing activity from any compromised account, so we do not currently believe the integrity of Wikimedia content was affected.

Next steps for Wikimedia users

[edit]

Firstly, we encourage any users who were directly affected by the incident to immediately change their password on any online account in which they used the same password. More generally, we encourage all users to use unique passwords for every website on which they have an account, which widely available password managers can help with.

Wikimedia accounts do not require an email address, but we are very limited in our ability to help recover access to compromised accounts that don’t have one. We generally recommend having a confirmed email address on your Wikimedia account. Please see our Password policy to learn more about requirements and good practices for your Wikimedia account password.

Thank you to the volunteer functionaries who assisted with rapidly responding to this incident. At the Foundation, we are implementing additional security protections for Wikimedia user accounts as part of our ongoing work preventing and identifying incidents like this from happening in the future. If you see any related discussions, please direct folks to this Meta-Wiki page and bring questions to the talk page.

We will share more about this work soon. Thanks!

Updates

[edit]
  1. (21:17, 28 March 2025 (UTC)) The language in the above post has been updated to reference the possibility of compromised devices contributing to the attack, not just compromised websites. As our review of account activity is ongoing, we also qualified that we have not seen "significant" signs of malicious editing, rather than "any" signs. You can see the revised changes on the page history (link to comparison).