On 7 May, 2007, four administrator accounts were desysopped as an emergency response after committing acts of vandalism including deleting the Main Page and blocking several other administrator accounts. The incident highlighted the need for improved individual and site-wide password security.

The four users, AndyZ, Jiang, Conscious, and Marine 69-71, used weak passwords that were cracked by an unknown person. Since the incidents, two admins (AndyZ, Marine 69-71) were resysopped after their identities were confirmed.

Incident reports

AndyZ

Admin AndyZ (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) was indefinitely blocked and desysopped after deleting the main page with the edit summary, "My password is password!" Mark logged in to the account and changed the password, and emailed the user asking for an explanation. Late Monday evening, an IP user claiming to be AndyZ posted to the administrators' noticeboard and apologized. AZPR, a semi-bot account operated by AndyZ, also logged in and posted an unblock request at User talk:AndyZ [1]. As of this writing, AndyZ's main account is still indefinitely blocked pending verification of his identity. Because AndyZ had not edited under his usernames for over two months, checkuser verification of his account is not technically feasible (in keeping with Wikimedia's privacy policy). On 8 May, 2007, AndyZ was unblocked per this unblocking request by Thatcher131.

Checkuser evidence on the attacker, meanwhile, revealed that the deletion of the main page was done through an open proxy but that a block of Ryulong was made from an IP address used by BuickCenturyDriver (talk · contribs · deleted contribs · logs · filter log · block user · block log). As a result, BuickCenturyDriver was also indefinitely blocked. While it is possible that BuickCenturyDriver is the culprit behind the main page vandalism, it is also possible that he saw AndyZ's password exposed in the deletion log and decided to play a prank. BuickCenturyDriver has asked to be unblocked, and discussions are ongoing.

Jiang

Admin Jiang (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) was indefinitely blocked and desysopped after deleting the main page and blocking Jimbo Wales. Jiang admitted on his user talk page that his password was "fuckyou", which is the 7th most commonly used password. Mark unblocked Jiang after Jiang e-mailed him from his registered e-mail address, and after a checkuser established that the vandal edits were made from an open proxy, but that Jiang's subsequent edits were made from his long-time IP address.

Conscious

Admin Conscious (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) was indefinitely blocked and desysopped after deleting the main page and several other articles and blocking a dozen or so editors. As of this writing, Conscious has not made contact or requested to have his account unblocked. On May 11, 2007, Conscious was unblocked per this unblocking request by Thatcher131, and was re-sysoped.

Marine 69-71

Administrator Marine 69-71 (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) (also known as Tony the Marine) was indefinitely blocked and desysopped after deleting the main page and blocking several editors. Marine 69-71 requested unblocking on his user talk page and admitted to using a weak password. Checkuser confirmed that the vandal edits were made from an open proxy, but that Marine's subsequent edits were made from his long-time IP address. After he confirmed that he had changed his password, and his son, AntonioMartin, confirmed that his father was in control of the account, he was unblocked and resysopped.

Eagle 101

A fifth administrator, Eagle 101 (talk · contribs · blocks · protections · deletions · page moves · rights · RfA), also deleted the Main Page, but this was an accident caused by his browser locking up. He was desysopped but resysopped 3 minutes later after confirming that his account was not compromised.

Responses

Robdurbar?

Immediately following the incidents, some users questioned whether the attacks were related to Robdurbar's similar rampage, which was not the result of a hacking, but instead was an active and successful effort by banned user Robdurbar, a sockpuppet account of Wonderfool to gain adminship, in order to eventually create havoc (see archived story). However, checkuser Dmcdevit confirmed that the attacker was not related, saying, "I'm very sure Robdurbar isn't related. He's an actual rogue admin, with a university IP as well as his Tiscali ones. No open proxies."

Regaining Adminship

Normally, the decision of whether to restore adminship is left to the discretion of the bureaucrats. In discussions at the Bureaucrats' noticeboard, several bureaucrats have expressed a willingness to "reinstate the rights of any administrator who can demonstrate that the compromised account in fact belongs to him", as long as the editor also affirms that he or she is now using a strong password.

Other editors have expressed the feeling that administrators who compromised Wikipedia's security through a weak password may have lost the community's trust and should have to re-apply for adminship through RFA.

At the present time, only Marine 69-71 has been restored to administrator status.

Password Security

Several editors have called for increased password security. Although administrator accounts make an attractive target for vandals, any account with a weak password is vulnerable to being hijacked. Editors who do not already have a strong password should consider changing their password or risk permanently losing access to their accounts.

A new proposed policy, Wikipedia:Security, emphasizes personal responsibility for password security. It also discusses potential security weaknesses including weak passwords and packet sniffing, with recommendations on how to access Wikipedia securely. A bugzilla report has been filed requesting several security improvements, such as requiring newly registered users to select stronger passwords and limiting the number of times a user can attempt to log in with an incorrect password, to reduce the ability of crackers to use brute force methods of password cracking.

Lead developer Brion VIBBER has run a password cracker on all administrator accounts and invalidated the weak passwords of several additional admin accounts. These admins will have to reset their passwords by e-mail before logging in again. Wikipedia:Administrators has been amended to note the importance of strong passwords for administrators, bureaucrats, checkusers, stewards and oversighters. HighInBC has sent a mass e-mail to all administrators informing them of the situation and advising them to select strong passwords if they have not already done so.

Several additional security measures have been added to the MediaWiki software or will be added in the near future:

• Additional logging to better detect dictionary-style attacks
• After a failed login attempt, MediaWiki now requires the user to validate a captcha image on the second attempt, to limit the ability of automated password cracking software to make multiple login attempts.
• Several targeted blocks against known cracking attempts.
• More automated password-strength checking at login / set-password / change-password time to reduce the danger of guessable passwords. [2]

See also

• meta:Don't leave your fly open
• Wikipedia talk:Administrators#Security
• Wikipedia:Former administrators
• Template:User committed identity