The Signpost

Discussion report

Compromise of two administrator accounts prompts security review

Related articles

Kalanick's nipples; Episode #138 of Drama on the Hill
23 June 2017

Compromise of two administrator accounts prompts security review
11 November 2015

Security issue fixed; VisualEditor changes
4 February 2015

A busy week: Git switchover, mobile site upgraded, and still time for three security releases
26 March 2012

Bugs, Repairs, and Internal Operational News
23 August 2010

More articles

On November 4, in a protest against Wikimedia security practices, a grey hat hacker compromised the accounts of the administrators Salvidrim! and OhanaUnited and, from those accounts, posted two messages to the bureaucrats' noticeboard requesting immediate desysopping of those accounts.

The hacker claimed responsibility for the breach on Reddit[1], criticizing the status quo of security on Wikimedia projects:

Countless usernames, emails and plain text passwords of Wikipedia accounts are listed in the data breaches, including accounts with CU/OS permissions. One that stood out was that of a former arb and WMF staff member whose same password was listed on multiple dumps. I also came across login details for multiple emails ending with, recognized some as having developer access. FWIW, they all had mostly strong passwords, although it hardly matters if they use the same password on WP. Now, I didn’t try logging into any of these to check if they work or not. The only reason I tried logging into these two accounts is because I recognized them as familiar admin accounts which had numbers as passwords and I was convinced it wouldn’t give me access. Once it did, I only had two options, either post to BN or forget about it. Had I reported it to Arbcom or privately, it would have been swept under the rug.

For all we know, people have been accessing admin accounts with impunity for years without anyone knowing. Nothing short of a forced reset for passwords on all privileged accounts is going to solve this.

I didn’t comb through the data further nor do I intend to - but that does not mean others won't.

— cwmtwrp

Although both administrators were able to regain access to their accounts, editors nonetheless raised concerns about account security on Wikipedia and Wikimedia projects. Some ideas were raised at the noticeboard discussion, including password complexity requirements and identifying privileged accounts with weak passwords. One day later, after consultation with the Wikimedia security team, Worm That Turned opened a RfC to review the status quo of security and to receive proposals on how to strengthen account security.

In brief

+ Add a comment

Discuss this story

These comments are automatically transcluded from this article's talk page. To follow comments, add the page to your watchlist. If your comment has not appeared here, you can try purging the cache.

This would be a good time for editors, especially administrators, to change passwords and use a good one. Jonathunder (talk) 00:01, 16 November 2015 (UTC)[reply]

  • RfA reform, again: The long and convoluted RfC tells us nothing new. Started by well meaning relative necomers to the challenge of RfA reform, preferring not to take any cues or clues from the mighty work that was done at WP:RFA2011, they naīvely thought that reinventing the RfC wheel would prod some of those oft proposed reforms into action. Refreshing though to see it confirmed that 5 years ago we weren't wrong. --Kudpung กุดผึ้ง (talk) 10:16, 16 November 2015 (UTC)[reply]
Perhaps I am misreading your comment, but it appears you are applauding a failure to improve the Wiki. Maury Markowitz (talk) 12:24, 16 November 2015 (UTC)[reply]
  • NOTHERE I said this on the talk page, but I'll put it here too: How is this not already *the* core principle of this place? People have been banned for it a decade ago. Why don't we ban everyone who disagrees with it? What's wrong with people who don't accept it? DreamGuy (talk) 00:45, 17 November 2015 (UTC)[reply]


The Signpost · written by many · served by Sinepost V0.9 · 🄯 CC-BY-SA 4.0