Photo by PereslavlFoto, CC BY-SA 3.0.

Photo by PereslavlFoto, CC BY-SA 3.0.

Beginning on Friday, November 11, 2016, wiki accounts belonging to Wikimedia Foundation staff and community members were temporarily compromised. This incident is under investigation, and we will make more information available as we are able to do so. As part of our commitment to be transparent with our users, we are providing an overview of the incident, and sharing information about our response.

What happened?

On Friday, November 11, a number of Wikimedia Foundation staff and Wikimedia community accounts were temporarily accessed by an unidentified and unauthorized third party. This unknown person or persons made several edits to Wikimedia sites (en.wikipedia.org, wikimediafoundation.org, and mediawiki.org) while in control of these accounts. The attacker has continued attempting to access other accounts over the past several days, with the latest efforts taking place today, Wednesday, November 16.

What is being done?

Since the attack began, volunteer community members and Foundation staff have worked diligently to lock the compromised accounts and restore them to their owners, and to revert the edits made by the attackers. As this activity continues, we are actively monitoring the projects to secure compromised accounts, and revert malicious edits. We have enabled two-factor authentication for all Wikimedia Foundation staff and project administrators. We are working on enabling this feature for all accounts as soon as possible.

Additionally, we encourage everyone to change their passwords as a standard precautionary measure, and to ensure that they are using good password hygiene. This means:

  • Using strong passwords, containing at least 8 characters and including letters, numbers, and symbols.
  • Using unique passwords for your wiki accounts, and not reusing them for any other website or any other purpose. This means not reusing them across Wikimedia services (for instance, using the same password on your Gerrit account that you do to access the projects)
  • Changing passwords periodically.
  • If you are an administrator and have not enabled two-factor authentication on your account, please do so right away.

We recommend that everyone take a moment to consider their password practices. Strong, unique passwords will help us to protect the projects from attacks like this.

Our investigation into this incident is still ongoing and we will make more information available as we are able to do so. We can reassure any concerns of donors now.

“This incident did not affect fundraising operations,” said Lisa Gruwell, Chief Advancement Officer of the Wikimedia Foundation.

Donor and payment information is kept in a separate database and uses separate and dedicated server infrastructure with additional security. Donor and payment information was not involved in this incident.

The Wikimedia Foundation takes the privacy and security of user and staff very seriously. We will continue to monitor the projects and stop these attacks, and will be implementing additional security measures to prevent another similar incident.

Darian Anthony Patrick, Security Manager*
Wikimedia Foundation

*We would like to thank the volunteer admins and WMF teams, including Ops, Support and Safety, Editing, Labs, Reading, Release Engineering, Legal, and Communications, that have worked diligently to investigate and respond to this incident.

This post has been updated with information from the Wikimedia Foundation’s fundraising team.