On November 12, the Wikimedia Operations team identified a security incident on the Wikimedia Foundation’s Mailman mailing list system that resulted in the breach of four staff email accounts. We immediately investigated the incident, addressed the underlying vulnerabilities, and took steps to remedy the situation.
To our knowledge, the affected accounts have now been secured, and the security incident has been resolved. As part of our commitment to transparency, we are sharing an overview of this incident and how we responded.
How did this happen?
An account with legitimate access to the server hosting our mailing list system obtained passwords from configuration files. A number of those passwords were then tested against staff email accounts and matched in four cases.
What has been done to fix it?
We immediately locked the four affected staff accounts, changed affected passwords, and applied additional security measures. We also locked the account believed to have been behind the breach and have terminated all future access from that account to internal systems. At this time, we have no evidence of other production services being impacted. Out of an abundance of caution, we are in the process of regenerating all passwords stored by our mailing list system. If you use your Mailman password for other accounts, we recommend that you change your password for those accounts.
The Wikimedia Foundation takes the privacy of staff and users very seriously. We will continue to monitor our systems and implement additional security measures to prevent this from happening again.
*We would like to thank the various teams, including Ops, Performance, Communications, Legal, Office IT, and Community Advocacy, that worked together throughout the day to expeditiously investigate and resolve this issue.