Post Header
This year, in recognition of World Password Day, we’re asking all fans to spend a few minutes ensuring that their passwords – and their AO3 accounts – are secure.
Recently, the Policy & Abuse committee (PAC) has seen an increasing number of users who have lost access to their AO3 accounts because they used an insecure password. We'd like to reassure our users that there is no indication that AO3 has experienced a data breach. PAC has been able to determine that all of the affected users' login information had been compromised in other ways, such as by accidentally downloading malware to their devices and/or by re-using the same password on AO3 that they had also used on a compromised website.
In early 2025, several large datasets were posted online, containing hundreds of millions of email/password pairs obtained from malware and compromised websites. It's common practice for scammers to test these compromised email/password pairs on other websites, in case the affected passwords were reused elsewhere. This allows the scammer to access accounts on websites that have never experienced a data breach, such as AO3. After gaining access to an account, the scammer may then change the account's email, password, and/or username, or sell the account information to other people.
AO3 is always free to use, but some people might not understand how to create their own AO3 account. There are many reasons for this, such as language barriers and unfamiliarity with our site. These people may purchase AO3 account information in the mistaken belief that AO3 accounts can be sold legitimately. They only discover they have been scammed once PAC re-acquires the account to give it back to the original owner.
PAC has been working diligently to identify compromised accounts and restore them to their original owners. We have also been working with the victims of the account-selling scam to help them create their own free AO3 accounts. Unfortunately, sometimes these victims, thinking the account they purchased legitimately belongs to them, may delete works or other content posted by the original account owner. While PAC can restore ownership of an account, we are unable to restore deleted content.
Ensure Your Password is Secure
You can reduce your vulnerability to this kind of incident by following internet security best practices:
- Set a unique, secure password for each and every one of your accounts on all platforms.
- Don't ever reuse passwords or share your passwords with anyone else for any reason.
- Use a password manager. This will help you to set unique, secure passwords for each of your accounts without worrying about forgetting them. Many browsers have a free, built-in password manager if you would prefer not to download third-party software.
- Keep your antivirus software and operating system up to date, and set them to scan for malware regularly.
- Check the website haveibeenpwned.com to see if your emails, passwords, and other information may have been exposed in data breaches. Change your passwords for any breached websites and any accounts on other sites where you may have used the same password.
If you are ever worried that your AO3 account is at risk of being compromised, you should do the following:
- Change your password immediately. This will automatically log you – and anyone else accessing your account – out of all sessions on all devices.
- If you’ve forgotten your password, but you have access to the email address currently associated with your AO3 account, you can log out and reset your password instead.
- If you’ve forgotten your password, and you no longer have access to the email address you used for your account, please contact Support.
- Make sure the email address associated with your AO3 account is one that you check regularly, as this is where all notifications about your account will be sent. If you need to update your email address, please refer to our FAQ about changing your email.
If you've received an email from @archiveofourown.org saying that the email associated with your account has been changed to one you don’t recognize, and you can't log in to your account, please contact Policy & Abuse. PAC treats compromised accounts as a matter of high priority, and will work with you via email to restore your account. If it's been over a week and you have not heard back from a PAC volunteer about the status of your account, check your email (including any spam, social, or other folders) before replying to our email or submitting a new Abuse report.
Again, we emphasize that there has not been any breach of AO3's servers. We are also developing and implementing additional measures to help prevent unauthorized access to AO3 accounts. However, your account is only as secure as your password and email. We encourage all users to take a few minutes today to ensure that your AO3 password is unique and your email address is up to date.