Digi-key password update

[bitwelder]

This morning I've got an email from Digi-key (specifically, digikey.fi) where they said that "We are taking steps to update and improve the security of our customers' online accounts. As a result, we are asking you to take action by updating and strengthening your My Digi‑Key password."

So (instead of clicking on the 'courtesy' login link in the mail, just my normal anti-phishing hygiene) I went to their page and tried to login, but it failed. Hmm... Same with an older account I have I'm not using much nowadays. Longer hmmm...
In the end I used the 'forgot password' (via email) feature to update my credentials, and all is good. BTW, already my old password were long and 'strong'.

- Did anybody else receive similar emails recently?
- Is that just normal administration on Digi-key side, or do I smell a password database leak?

[Fred27]

I got a similar email from Digikey UK. Not changed my password yet. It does sound a little bit like an email you might get off they've been hacked, but normally a company would admit it at this point. Maybe they've just been pen tested and found out they'd been using unsalted hashes and/or very weak passwords.

[ataradov]

Just got the same email. Got a forced password change form, which does not seem to work at all.

Sounds like a database leak.

Had to do password reset to be actually able to change it and login again.

[nali]

+1.

Went to Digikey (independently, not clicking the link in the email) and got a forced password reset. Couldn't log in afterwards until I cleared my cookies, but it's fine now.

[sleemanj]

Benefit of the doubt, my guess is that they maybe stored passwords as an MD5 or similar now essentially broken hashing algorithm and they want to move to a more robust hashing algorithm (SHAx), or maybe they were not salting the hash and now want to.

[ataradov]

They could already do that. They get your password in plain text when you log in. So they could authenticate it using the old method and then store with salt and stronger hash, and then erase the old copy.

[nctnico]

Just got the same email. Got a forced password change form, which does not seem to work at all.

Sounds like a database leak.

Had to do password reset to be actually able to change it and login again.

Same here. But it is weird.

[apelly]

This is the behaviour of a hacked company.

I'd wager they were storing unsalted passwords on their web server and got hacked.

Especially as my password was crazy strong. And if it wasn't, how could they know anyway?

[Mr.B]

Interesting. I have not had such an email.
Two other Kiwis here have commented... Do you have Digikey accounts? Have you received such an email?

[apelly]

I went to digikey.com and logged in with my nz creds. I was invited to upgrade my password before I could continue.

[Mr.B]

Ok.
Just tried to log on now and was challenged to enter a new password.

I think @apelly may be on the right path...
This is the behaviour of a hacked company.

[apelly]

It seemed like a completely shady way to do this too. They didn't have a plan in place and the marketing wankers decided to deal with it without consulting anyone technical.

Why the fuck would you click-track this kind of email?

Do you expect your customers to follow links in an unexpected password reset email?

It all stinks of panic at the moment.

[TheSteve]

Digikey did have a notice on the website all week long of scheduled downtime for an upgrade this weekend.

[TheUnnamedNewbie]

Digikey did have a notice on the website all week long of scheduled downtime for an upgrade this weekend.

I think it is far more likely they got a security update this weekend, or security review was part of the update, and whoever did it pointed out that they were not being secure with how they were handling passwords. So now they want everyone to make a new password so they have no links back to the previous ones?

I think jumping to the conclusion that they must have been hacked is a bit rash...

[apelly]

I think jumping to the conclusion that they must have been hacked is a bit rash...

You might be right. The way they're dealing with it seems like they have no idea if they were hacked or not. And, as I said before, it indicates they did not have a plan in place for it. Which is what you'd expect of your average company.

But you would expect your average company to be hacked at some stage too. It's not personal any more. It's just a numbers game.

[madires]

Same here. Got email, logged in, forced PW change, didn't accept old PW and now I have to follow the password reset procedure.

[Dabbot]

+1 received an email and reset my DigiKey password this evening.

On the subject of this being a possible data breach, can we stop the irresponsible speculation and get an official response? DigiKey operates in multiple countries which have mandatory data breach reporting laws. Attempting to sweep this under the rug would place them in a far worse situation.

[sleemanj]

They could already do that. They get your password in plain text when you log in. So they could authenticate it using the old method and then store with salt and stronger hash, and then erase the old copy.

Sure but that relies on people coming and logging in in some sort of timely fashion, and until such time the password is still in the more vulnerable state, they probably have thousands if not tens of thousands of abandoned accounts, or accounts which get logged into maybe once a year.

Better for them to just nuke everybody's password now and tell them to come and change it, the worst harm is that people have to do a forgot-password process.

[PA0PBZ]

Better for them to just nuke everybody's password now...

They obviously didn't do that:

Same here. Got email, logged in, forced PW change, didn't accept old PW and now I have to follow the password reset procedure.

[sleemanj]

They obviously didn't do that:

Same here. Got email, logged in, forced PW change, didn't accept old PW and now I have to follow the password reset procedure.

I'm a bit confused by madires description.  I was under the impression that people went to DK (after getting the email) and tried to login and couldn't, and had to do the PW change, because their old password nolonger worked (which would indicate the passwords were nuked).

Madires' message could be read in either way, madires tried to change the password to the old/existing password and DK didn't let them, or he tried to log in after changing the password and it didn't let him... yeah I don't quite understand what Madires' process was from his description.

[DIPLover]

Got the email, changed my password on digkey.ca.

[nctnico]

They obviously didn't do that:

Same here. Got email, logged in, forced PW change, didn't accept old PW and now I have to follow the password reset procedure.

I'm a bit confused by madires description.  I was under the impression that people went to DK (after getting the email) and tried to login and couldn't, and had to do the PW change, because their old password nolonger worked (which would indicate the passwords were nuked).

Madires' message could be read in either way, madires tried to change the password to the old/existing password and DK didn't let them, or he tried to log in after changing the password and it didn't let him... yeah I don't quite understand what Madires' process was from his description.

I couldn't use the old password to create a new password (BTW I didn't click the link in the e-mail but went to the digikey website directly). There is a lot of speculation possible but one thing is clear: Digikey is enforcing stronger passwords.

[sleemanj]

I couldn't use the old password to create a new password

Does that mean you couldn't login with the old password (and had to do forgot password), or that you logged in with the old password and then it forced you to choose a new password and wouldn't let you set it to the old password.

[nctnico]

I couldn't use the old password to create a new password

Does that mean you couldn't login with the old password (and had to do forgot password), or that you logged in with the old password and then it forced you to choose a new password and wouldn't let you set it to the old password.

I couldn't login at all. I got a forced 'change password' form for which the existing ('old') password didn't work. I had to click the 'forgot password' link in order to get regain access.

[madires]

I'm a bit confused by madires description.  I was under the impression that people went to DK (after getting the email) and tried to login and couldn't, and had to do the PW change, because their old password nolonger worked (which would indicate the passwords were nuked).

Madires' message could be read in either way, madires tried to change the password to the old/existing password and DK didn't let them, or he tried to log in after changing the password and it didn't let him... yeah I don't quite understand what Madires' process was from his description.

I went directly to DK's web page to log in. I entered my username and my old PW. After that I got a new form forcing me to change my PW by entering the old one and a new one twice. That form didn't accept my old PW. The new PW is different from the old one and both aren't anything simple. I hope this clears it up.