Digi-key password update

[Psi]

I've not got an email yet, but it did forced me to change password when i tried to login today.

Also about 1 week ago i had weirdness happen with digikey. I actually made a thread on here but no one commented.

I ordered something and it never shipped.
The online chat system wouldn't work when i tried to contact them to see why.
I tried for a few days but same issue with online chat not working.

So i emailed them and didn't hear back at all.
But a day after that i logged in to check order history and noticed that the order had just shipped.
It had not shipped in the usual way that triggers emails and stuff and didn't show tracking info in usual place.

I clicked on the invoice PDF to read that and it had a manually added comment.

"21-JUL-2019 16:49 AA0AF RECD EMAIL FROM <NAME> CKING STATUS. IT APPEARS THIS ORDER PIGGY BACKED I WILL CK REPORT ON 7/22. ********** TRACKING NUMBER IS... "

I wonder what 'order piggy backed' might mean?

[digsys]

AHHHH CRAP ! Just tried it myself after reading all this, and got the same ... entered new p/word, froze, tried again later with new p/word .. and all good !! .. EXCEPT !!!!
The damn shopping cart I built up this last 2 weeks is ALL GONE !! CRAP ! Now I got to remember what I ordered ..... siiigh

[ataradov]

Does that mean you couldn't login with the old password (and had to do forgot password), or that you logged in with the old password and then it forced you to choose a new password and wouldn't let you set it to the old password.

It recognized the old password on a normal login form, but then redirected to the password change from, which did not accept the regular password.

It is possible, of course that the normal login form had a redirect and all passwords were already nuked. But then why even ask for it in a password change form?

The whole process is broken and was handled very inappropriately, IMO.

[SiliconWizard]

Got the email, didn't feel like changing my pw, tried to log in, it logged in but immediately asked to change my password before I could continue.
I changed it.
Then logged in with the new pw.
Then got a "page not redirected correctly" message from Firefox.

Being used to getting this kind of behavior occasionally in Firefox due to old cookies, I deleted all cookies related to Digikey and tried again.
It worked.

[IanJ]

UK, FireFox on Win10.

Got the email....ignored it (virtually never click on emails!) and tried to login normally.....got the "change password" form which I did and it worked fine.

Ian.

[apelly]

I was trying to find the couple of earlier posts that said "At least they're helping" or something. From their Tc&Cs:

Your username and password are referred to as your "Identification." Your Identification must be accurate, current, and complete, and you may not provide false information to Digi-Key or impersonate another individual or entity. You are solely responsible for keeping your Identification confidential. You agree that you and your authorized representatives will be the only users of your Identification, and that you will be solely responsible for all activities on the Site using your Identification.

https://www.digikey.co.nz/en/terms-and-conditions

They have no reason to care if your password is strong. I still reckon something caused them to panic.

Australia does have mandatory disclosure rules, but I don't know if they're in effect yet, or how they work.

We'll see, I guess.

[lowimpedance]

AHHHH CRAP ! Just tried it myself after reading all this, and got the same ... entered new p/word, froze, tried again later with new p/word .. and all good !! .. EXCEPT !!!!
The damn shopping cart I built up this last 2 weeks is ALL GONE !! CRAP ! Now I got to remember what I ordered ..... siiigh

 I was able to 'resume cart' on a part I had in my shopping cart before the password reset.
Go to your orders status and history and you should see the last cart pending, clicking on the web ID will give a box where you can resume the cart or delete it etc.

[digsys]

  I was able to 'resume cart' on a part I had in my shopping cart before the password reset.
Go to your orders status and history and you should see the last cart pending, clicking on the web ID will give a box where you can resume the cart or delete it etc.

Ahh yep. Well aware of that, been using DigiKey for years. The last cart was empty. Maybe, they did a roll-back, and I was just unlucky. They definitely seemed to have screwed something up.

[rbm]

I also got the same notification and attempted a login whereupon I was forced to change my password.  I noticed that the site which accepts credentials and authenticates them is different than what I have stored in my password manager.  So, I believe the update that Digikey performed changed the authentication mechanism.  That would explain the request for password change.  I don't believe it to be a result of a hack or pen test finding; more likely it's a change to federated login because the country specific nature of the login mechanism that Digikey used before is now gone (i.e. I used to authenticate to www.digikey.ca and now I authenticate to auth.digikey.com).

[digsys]

... I don't believe it to be a result of a hack or pen test finding; more likely it's a change to federated login because the country specific nature of the login mechanism that Digikey used before is now gone (i.e. I used to authenticate to www.digikey.ca and now I authenticate to  auth.digikey.com).

Fair enough, definitely seems the most likely  .. beats me as to where my basket went ... maybe I'm getting old faster than I thought :-)
Edit: Just checked again and it's back I did delete cookies first ... unsure why that'd be why??? All good again, move along :-)
Edit2: <sheepish grin> ok, found the culprit. I have a few accounts on the login page .. for different contracts / tax groups. After reading the first posts, and expecting a breach, I selected the "wrong" account .. which btw isn't indicated once you're logged in. oops

[T3sl4co1l]

Worked fine here.

Tim

[Andreas]

Got the email....ignored it (virtually never click on emails!) and tried to login normally.....got the "change password" form which I did and it worked fine.

The same here in DE.

With best regards

Andreas

[MrBlueJones]

Although I did not lose nor use my credit card in the last few weeks, someone managed to take of my card 8000 USD.
This credit card is also stored on the Digikey website.
When today I want to order a few components, I am forced to reset my password. But it did not (or did not want to) recognize my old password that I was using for years. I had to use the 'password reset' feature.
Anybody else who got surprise bills from Visa who also have their creditcard info on Digi-Key webiste?
I suspect their website has been hacked and sensitive information leaked. Why would they otherwise force all users (apparently) to reset their passwords?

[wrljet]

I got the email, too, and thought it might be a scam.
Went to Digi-Key website using my old bookmark and tried to log in.

It said I needed to change the password before it ever let me in.
And it refuses to accept any password I've tried as meeting their requirements.

[orion242]

Their site has been down all weekend and still DOA now.

??

Withdraws from their parametric search starting to set in.

[Bud]

Why would they otherwise force all users (apparently) to reset their passwords?

It may happen in normal course of business depending on how a company stores users passwords. One of the ways is to store not passwords themselves, be it encrypted, but hash of the password. Hash is theoretically one way function, i.e. passwords cant be recovered from hash. However this creates a problem when the company needs to change password protection scheme , i.e. to a stronger hash function, or perform system upgrades that require re-encrypting the password database. Guess what, you cant re-calculate new hash from the existing one, so the only way is to force customers to create new passwords. I've seen it numerous times back in my work in IT.

[madires]

What I consider a tad strange or unprofessional is the issue with the old password. It was accepted by the standard login, but not by the PW change form which followed immediately after the login. Some didn't have this problem, some did and were forced to reset their old PW. In most cases it's possible to detect the hashing method from the stored hash and that method would be used to verify the user's old PW. This way a smooth transition to a new hashing algorithm is straight forward and doesn't break anything.

[Bud]

Mostly true and is a good intent but depends on the infrastructure and details of implementation. In many cases it can only be "Either Or" and not feasible to run in parallel old and new systems. As usual, the evil is in the details.

[rbm]

Although I did not lose nor use my credit card in the last few weeks, someone managed to take of my card 8000 USD.
This credit card is also stored on the Digikey website.

That's speculation.  It is quite possible your account information was compromised long ago at some place other than Digikey and only recently has it been sold, and fraudulently used.  It is a falsehood that people believe the last place they used their card was the place where it was compromised.  There's many ways your account details could have been exposed without you being aware of it (or the merchant whose system was compromised where you used your card).

[wrljet]

I finally managed to get back in, after a lot of swearing.

It turned out I had used part of a common dictionary word in the new passwd, and that is no longer allowed.
I suggested to their tech support they might explain the passwd minimum requirements on the actual form.

[bombledmonk]

I know there's been lots of speculation on here and this is a delayed response, but this was part of a part of a year+ long project to upgrade the authentication system.  It was not in response to a breach, just a symptom of switching the system storing passwords and a suboptimal communication plan. 

[jmelson]

It turned out I had used part of a common dictionary word in the new passwd, and that is no longer allowed.
I suggested to their tech support they might explain the passwd minimum requirements on the actual form.

Yeah, the way things are going, sites in general are going to require a 256-character password, it must contain all ASCII characters at least once, must not contain any words in any human language, and be changed daily!

Jon

[rbm]

Better to have multi-factor authentication (MFA) and thwart the problems with single factor password auth.  Problem is that there is no universal standard for MFA, which ends up being a PITA for end-users.

[3roomlab]

o my

i could see octopart, mouser, RS etc etc

but ...
digikey is down?

[PA0PBZ]

digikey is down?

No problem here, what happens if you just try 204.221.76.76 ?