EEVblog Electronics Community Forum
General => General Technical Chat => Topic started by: bitwelder on July 28, 2019, 06:11:11 am
-
This morning I've got an email from Digi-key (specifically, digikey.fi) where they said that "We are taking steps to update and improve the security of our customers' online accounts. As a result, we are asking you to take action by updating and strengthening your My Digi‑Key password."
So (instead of clicking on the 'courtesy' login link in the mail, just my normal anti-phishing hygiene) I went to their page and tried to login, but it failed. Hmm... Same with an older account I have I'm not using much nowadays. Longer hmmm...
In the end I used the 'forgot password' (via email) feature to update my credentials, and all is good. BTW, already my old password were long and 'strong'.
- Did anybody else receive similar emails recently?
- Is that just normal administration on Digi-key side, or do I smell a password database leak?
-
I got a similar email from Digikey UK. Not changed my password yet. It does sound a little bit like an email you might get off they've been hacked, but normally a company would admit it at this point. Maybe they've just been pen tested and found out they'd been using unsalted hashes and/or very weak passwords.
-
Just got the same email. Got a forced password change form, which does not seem to work at all.
Sounds like a database leak.
Had to do password reset to be actually able to change it and login again.
-
+1.
Went to Digikey (independently, not clicking the link in the email) and got a forced password reset. Couldn't log in afterwards until I cleared my cookies, but it's fine now.
-
Benefit of the doubt, my guess is that they maybe stored passwords as an MD5 or similar now essentially broken hashing algorithm and they want to move to a more robust hashing algorithm (SHAx), or maybe they were not salting the hash and now want to.
-
They could already do that. They get your password in plain text when you log in. So they could authenticate it using the old method and then store with salt and stronger hash, and then erase the old copy.
-
Just got the same email. Got a forced password change form, which does not seem to work at all.
Sounds like a database leak.
Had to do password reset to be actually able to change it and login again.
Same here. But it is weird.
-
This is the behaviour of a hacked company.
I'd wager they were storing unsalted passwords on their web server and got hacked.
Especially as my password was crazy strong. And if it wasn't, how could they know anyway?
-
Interesting. I have not had such an email.
Two other Kiwis here have commented... Do you have Digikey accounts? Have you received such an email?
-
I went to digikey.com and logged in with my nz creds. I was invited to upgrade my password before I could continue.
-
Ok.
Just tried to log on now and was challenged to enter a new password.
I think @apelly may be on the right path...
This is the behaviour of a hacked company.
-
It seemed like a completely shady way to do this too. They didn't have a plan in place and the marketing wankers decided to deal with it without consulting anyone technical.
Why the fuck would you click-track this kind of email?
Do you expect your customers to follow links in an unexpected password reset email?
It all stinks of panic at the moment.
-
Digikey did have a notice on the website all week long of scheduled downtime for an upgrade this weekend.
-
Digikey did have a notice on the website all week long of scheduled downtime for an upgrade this weekend.
I think it is far more likely they got a security update this weekend, or security review was part of the update, and whoever did it pointed out that they were not being secure with how they were handling passwords. So now they want everyone to make a new password so they have no links back to the previous ones?
I think jumping to the conclusion that they must have been hacked is a bit rash...
-
I think jumping to the conclusion that they must have been hacked is a bit rash...
You might be right. The way they're dealing with it seems like they have no idea if they were hacked or not. And, as I said before, it indicates they did not have a plan in place for it. Which is what you'd expect of your average company.
But you would expect your average company to be hacked at some stage too. It's not personal any more. It's just a numbers game.
-
Same here. Got email, logged in, forced PW change, didn't accept old PW and now I have to follow the password reset procedure. :--
-
+1 received an email and reset my DigiKey password this evening.
On the subject of this being a possible data breach, can we stop the irresponsible speculation and get an official response? DigiKey operates in multiple countries which have mandatory data breach reporting laws. Attempting to sweep this under the rug would place them in a far worse situation.
-
They could already do that. They get your password in plain text when you log in. So they could authenticate it using the old method and then store with salt and stronger hash, and then erase the old copy.
Sure but that relies on people coming and logging in in some sort of timely fashion, and until such time the password is still in the more vulnerable state, they probably have thousands if not tens of thousands of abandoned accounts, or accounts which get logged into maybe once a year.
Better for them to just nuke everybody's password now and tell them to come and change it, the worst harm is that people have to do a forgot-password process.
-
Better for them to just nuke everybody's password now...
They obviously didn't do that:
Same here. Got email, logged in, forced PW change, didn't accept old PW and now I have to follow the password reset procedure. :--
-
They obviously didn't do that:
Same here. Got email, logged in, forced PW change, didn't accept old PW and now I have to follow the password reset procedure. :--
I'm a bit confused by madires description. I was under the impression that people went to DK (after getting the email) and tried to login and couldn't, and had to do the PW change, because their old password nolonger worked (which would indicate the passwords were nuked).
Madires' message could be read in either way, madires tried to change the password to the old/existing password and DK didn't let them, or he tried to log in after changing the password and it didn't let him... yeah I don't quite understand what Madires' process was from his description.
-
Got the email, changed my password on digkey.ca.
-
They obviously didn't do that:
Same here. Got email, logged in, forced PW change, didn't accept old PW and now I have to follow the password reset procedure. :--
I'm a bit confused by madires description. I was under the impression that people went to DK (after getting the email) and tried to login and couldn't, and had to do the PW change, because their old password nolonger worked (which would indicate the passwords were nuked).
Madires' message could be read in either way, madires tried to change the password to the old/existing password and DK didn't let them, or he tried to log in after changing the password and it didn't let him... yeah I don't quite understand what Madires' process was from his description.
I couldn't use the old password to create a new password (BTW I didn't click the link in the e-mail but went to the digikey website directly). There is a lot of speculation possible but one thing is clear: Digikey is enforcing stronger passwords.
-
I couldn't use the old password to create a new password
Does that mean you couldn't login with the old password (and had to do forgot password), or that you logged in with the old password and then it forced you to choose a new password and wouldn't let you set it to the old password.
-
I couldn't use the old password to create a new password
Does that mean you couldn't login with the old password (and had to do forgot password), or that you logged in with the old password and then it forced you to choose a new password and wouldn't let you set it to the old password.
I couldn't login at all. I got a forced 'change password' form for which the existing ('old') password didn't work. I had to click the 'forgot password' link in order to get regain access.
-
I'm a bit confused by madires description. I was under the impression that people went to DK (after getting the email) and tried to login and couldn't, and had to do the PW change, because their old password nolonger worked (which would indicate the passwords were nuked).
Madires' message could be read in either way, madires tried to change the password to the old/existing password and DK didn't let them, or he tried to log in after changing the password and it didn't let him... yeah I don't quite understand what Madires' process was from his description.
I went directly to DK's web page to log in. I entered my username and my old PW. After that I got a new form forcing me to change my PW by entering the old one and a new one twice. That form didn't accept my old PW. The new PW is different from the old one and both aren't anything simple. I hope this clears it up.
-
I've not got an email yet, but it did forced me to change password when i tried to login today.
Also about 1 week ago i had weirdness happen with digikey. I actually made a thread on here but no one commented.
I ordered something and it never shipped.
The online chat system wouldn't work when i tried to contact them to see why.
I tried for a few days but same issue with online chat not working.
So i emailed them and didn't hear back at all.
But a day after that i logged in to check order history and noticed that the order had just shipped.
It had not shipped in the usual way that triggers emails and stuff and didn't show tracking info in usual place.
I clicked on the invoice PDF to read that and it had a manually added comment.
"21-JUL-2019 16:49 AA0AF RECD EMAIL FROM <NAME> CKING STATUS. IT APPEARS THIS ORDER PIGGY BACKED I WILL CK REPORT ON 7/22. ********** TRACKING NUMBER IS... "
I wonder what 'order piggy backed' might mean?
-
AHHHH CRAP ! Just tried it myself after reading all this, and got the same ... entered new p/word, froze, tried again later with new p/word .. and all good !! .. EXCEPT !!!!
The damn shopping cart I built up this last 2 weeks is ALL GONE !! CRAP ! Now I got to remember what I ordered ..... siiigh
-
Does that mean you couldn't login with the old password (and had to do forgot password), or that you logged in with the old password and then it forced you to choose a new password and wouldn't let you set it to the old password.
It recognized the old password on a normal login form, but then redirected to the password change from, which did not accept the regular password.
It is possible, of course that the normal login form had a redirect and all passwords were already nuked. But then why even ask for it in a password change form?
The whole process is broken and was handled very inappropriately, IMO.
-
Got the email, didn't feel like changing my pw, tried to log in, it logged in but immediately asked to change my password before I could continue.
I changed it.
Then logged in with the new pw.
Then got a "page not redirected correctly" message from Firefox.
Being used to getting this kind of behavior occasionally in Firefox due to old cookies, I deleted all cookies related to Digikey and tried again.
It worked.
-
UK, FireFox on Win10.
Got the email....ignored it (virtually never click on emails!) and tried to login normally.....got the "change password" form which I did and it worked fine.
Ian.
-
I was trying to find the couple of earlier posts that said "At least they're helping" or something. From their Tc&Cs:
Your username and password are referred to as your "Identification." Your Identification must be accurate, current, and complete, and you may not provide false information to Digi-Key or impersonate another individual or entity. You are solely responsible for keeping your Identification confidential. You agree that you and your authorized representatives will be the only users of your Identification, and that you will be solely responsible for all activities on the Site using your Identification.
https://www.digikey.co.nz/en/terms-and-conditions (https://www.digikey.co.nz/en/terms-and-conditions)
They have no reason to care if your password is strong. I still reckon something caused them to panic.
Australia does have mandatory disclosure rules, but I don't know if they're in effect yet, or how they work.
We'll see, I guess.
-
AHHHH CRAP ! Just tried it myself after reading all this, and got the same ... entered new p/word, froze, tried again later with new p/word .. and all good !! .. EXCEPT !!!!
The damn shopping cart I built up this last 2 weeks is ALL GONE !! CRAP ! Now I got to remember what I ordered ..... siiigh
I was able to 'resume cart' on a part I had in my shopping cart before the password reset.
Go to your orders status and history and you should see the last cart pending, clicking on the web ID will give a box where you can resume the cart or delete it etc.
-
I was able to 'resume cart' on a part I had in my shopping cart before the password reset.
Go to your orders status and history and you should see the last cart pending, clicking on the web ID will give a box where you can resume the cart or delete it etc.
Ahh yep. Well aware of that, been using DigiKey for years. The last cart was empty. Maybe, they did a roll-back, and I was just unlucky. They definitely seemed to have screwed something up.
-
I also got the same notification and attempted a login whereupon I was forced to change my password. I noticed that the site which accepts credentials and authenticates them is different than what I have stored in my password manager. So, I believe the update that Digikey performed changed the authentication mechanism. That would explain the request for password change. I don't believe it to be a result of a hack or pen test finding; more likely it's a change to federated login because the country specific nature of the login mechanism that Digikey used before is now gone (i.e. I used to authenticate to www.digikey.ca (http://www.digikey.ca) and now I authenticate to auth.digikey.com).
-
... I don't believe it to be a result of a hack or pen test finding; more likely it's a change to federated login because the country specific nature of the login mechanism that Digikey used before is now gone (i.e. I used to authenticate to www.digikey.ca (http://www.digikey.ca) and now I authenticate to auth.digikey.com).
Fair enough, definitely seems the most likely .. beats me as to where my basket went ... maybe I'm getting old faster than I thought :-)
Edit: Just checked again and it's back ??? I did delete cookies first ... unsure why that'd be why??? All good again, move along :-)
Edit2: <sheepish grin> ok, found the culprit. I have a few accounts on the login page .. for different contracts / tax groups. After reading the first posts, and expecting a breach, I selected the "wrong" account .. which btw isn't indicated once you're logged in. oops
-
Worked fine here.
Tim
-
Got the email....ignored it (virtually never click on emails!) and tried to login normally.....got the "change password" form which I did and it worked fine.
The same here in DE.
With best regards
Andreas
-
Although I did not lose nor use my credit card in the last few weeks, someone managed to take of my card 8000 USD.
This credit card is also stored on the Digikey website.
When today I want to order a few components, I am forced to reset my password. But it did not (or did not want to) recognize my old password that I was using for years. I had to use the 'password reset' feature.
Anybody else who got surprise bills from Visa who also have their creditcard info on Digi-Key webiste?
I suspect their website has been hacked and sensitive information leaked. Why would they otherwise force all users (apparently) to reset their passwords?
-
I got the email, too, and thought it might be a scam.
Went to Digi-Key website using my old bookmark and tried to log in.
It said I needed to change the password before it ever let me in.
And it refuses to accept any password I've tried as meeting their requirements.
-
Their site has been down all weekend and still DOA now.
??
Withdraws from their parametric search starting to set in.
-
Why would they otherwise force all users (apparently) to reset their passwords?
It may happen in normal course of business depending on how a company stores users passwords. One of the ways is to store not passwords themselves, be it encrypted, but hash of the password. Hash is theoretically one way function, i.e. passwords cant be recovered from hash. However this creates a problem when the company needs to change password protection scheme , i.e. to a stronger hash function, or perform system upgrades that require re-encrypting the password database. Guess what, you cant re-calculate new hash from the existing one, so the only way is to force customers to create new passwords. I've seen it numerous times back in my work in IT.
-
What I consider a tad strange or unprofessional is the issue with the old password. It was accepted by the standard login, but not by the PW change form which followed immediately after the login. Some didn't have this problem, some did and were forced to reset their old PW. In most cases it's possible to detect the hashing method from the stored hash and that method would be used to verify the user's old PW. This way a smooth transition to a new hashing algorithm is straight forward and doesn't break anything.
-
Mostly true and is a good intent but depends on the infrastructure and details of implementation. In many cases it can only be "Either Or" and not feasible to run in parallel old and new systems. As usual, the evil is in the details.
-
Although I did not lose nor use my credit card in the last few weeks, someone managed to take of my card 8000 USD.
This credit card is also stored on the Digikey website.
That's speculation. It is quite possible your account information was compromised long ago at some place other than Digikey and only recently has it been sold, and fraudulently used. It is a falsehood that people believe the last place they used their card was the place where it was compromised. There's many ways your account details could have been exposed without you being aware of it (or the merchant whose system was compromised where you used your card).
-
I finally managed to get back in, after a lot of swearing.
It turned out I had used part of a common dictionary word in the new passwd, and that is no longer allowed.
I suggested to their tech support they might explain the passwd minimum requirements on the actual form.
-
I know there's been lots of speculation on here and this is a delayed response, but this was part of a part of a year+ long project to upgrade the authentication system. It was not in response to a breach, just a symptom of switching the system storing passwords and a suboptimal communication plan.
-
It turned out I had used part of a common dictionary word in the new passwd, and that is no longer allowed.
I suggested to their tech support they might explain the passwd minimum requirements on the actual form.
Yeah, the way things are going, sites in general are going to require a 256-character password, it must contain all ASCII characters at least once, must not contain any words in any human language, and be changed daily!
Jon
-
Better to have multi-factor authentication (MFA) and thwart the problems with single factor password auth. Problem is that there is no universal standard for MFA, which ends up being a PITA for end-users.
-
o my
i could see octopart, mouser, RS etc etc
but ...
digikey is down?
-
digikey is down?
No problem here, what happens if you just try 204.221.76.76 (http://204.221.76.76) ?
-
well thats strange, it seems TPG.au the ISP is blocking digikey
i switched to a different line and it worked.
winmtr ping 12 hops, not a squeek on the other line. very weird
Is it blocking access to digikey (e.g. you cannot reach to their IP 204.221.76.76) or the DNS doesn't resolve / resolves to a bogus address?
-
I didn't get an email (unless it was a long time ago) but I just tried to login now and I was forced to change it so I did.
Either they are being diligent or it is indeed a database leak. I've moved to using unique passwords for each site now. It's a bit of a pain since I need to always go check my password manager before I login to any site, but at least when there's a leak it will only affect that one site.
Next step I need to do is to use a separate email for each site. That way when I get spam I know what site is responsible.
-
I you have gmail, you can use a special characters to "extend" your email address:
https://www.thewindowsclub.com/gmail-address-tricks (https://www.thewindowsclub.com/gmail-address-tricks)