ADI Resets Passwords After "Very Limited Number Of Suspicious Online Orders"

On Feb 14th, ADI sent out an "Important Account Notice", excerpt below:

ADI responded to IPVM's request for comment explaining:

Agree
Disagree
Informative: 2
Unhelpful
Funny

After identifying a very limited number of suspicious online orders, in an abundance of caution, ADI decided to proactively require a password reset, even though there is no evidence that our internal systems were compromised, nor any evidence of a data breach or loss of customer data. We continue to work to provide an exceptional digital experience for our customers, and part of these efforts includes the implementation of enhanced security measures. The password reset was initiated as a precaution against threats. [emphasis added]

They clarified that they "requested password resets from all users with purchasing ability."

It is hard to know what exactly happened but one common is users reusing passwords (i.e., a person's password for site X is leaked, they use the same password at ADI, and someone can then log in to their ADI account). This was an issue for Ring recently.

One way to mitigate such attacks is 2 factor authentication (even if someone found your reused password, they'd still need to get through the second factor). ADI responded, "We are always looking at further security enhancement, including 2 factor and MFA, but no decision yet. "

For example, IPVM supports 2FA though very few members actually use it.

Agree
Disagree
Informative: 2
Unhelpful
Funny

I was also asked recently to reset mine as well. Wonder if they had a breach or something?

Agree
Disagree
Informative
Unhelpful
Funny

They say no evidence of a breach. If it was, eventually, others would find evidence as that data would typically be shared.

I am curious who submitted fake orders. How would you benefit / make money off of it? Ship yourself products and resell them on Amazon? Anyone have any theories of how to profit from fake ADI orders?

Agree
Disagree
Informative
Unhelpful
Funny

I know a local tri-ed branch that had issues a few years ago with fraudulent orders being placed. Someone would place a large order, bill it to an unknowing company and ship to a new address. The individual could then re-sell the items, the company that was billed would probably dispute the charges and tri-ed would need to pick up the bill.

I'm sure ADI has similar issues. I had to go out of my way to set up a shortlist of people who can purchase on our ADI account. Not sure why the default is that anyone can walk in say the company name and be able to bill it to that company.

Agree
Disagree
Informative
Unhelpful
Funny

Interesting.

Someone would place a large order, bill it to an unknowing company and ship to a new address

But couldn't the defrauded seller figure out who the fraudster was by checking out that address? That's the part I am trying to understand. How do you physically receive goods without leaving a trace to who you are?

Agree
Disagree
Informative
Unhelpful
Funny

You have a third party receive the goods and forward it to you. Or have it delivered to a vacant property. Or steal it off a neighbors porch that you have it delivered to. Lots of options I guess.

Agree
Disagree
Informative
Unhelpful
Funny

You have a third party receive the goods and forward it to you.

That person than would be identifiable and an accomplice to the crime. I guess they could do it but strikes me as quite risky.

Or have it delivered to a vacant property.

Maybe, I don't know. I read a couple of articles on the topic and I still don't get it.

One idea I saw was using stolen credit cards for gift cards, which because they are virtual are easier to move. Not as sure about guys ordering a pallet of security devices. Curious to understand.

Agree
Disagree
Informative
Unhelpful
Funny

I’ve read where the man in the middle is an unknowing accomplice. They are duped into helping the criminal in some way.

Agree
Disagree
Informative
Unhelpful
Funny

ADI at one point stated users had to have the account number when walking in and placing an order.

We have guys that stop in at ADI or Anixter and buy stuff with no verification from the counter person to our office. Maybe because they all wear company shirts?

So far all the purchases have been legit, and its convenient for us to tell a tech go by ADI and get a lock, etc. Just wonder who is going to hold the bag if it goes bad one day?

Probably need to sort that out.

Agree
Disagree
Informative
Unhelpful
Funny

I suspect every ADI branch may be a bit different, but you can enforce the need for a P.O. issued from the office. My old company had that. No tech could just stop by and pick something up, a purchase order had to come from the office.

My current employer doesn't seem to care, as long as it gets paid. I happen to have my own account anyway, but if I wanted to I could buy stuff under their account as long as I charge it to my own personal credit card.

If your local branch isn't enforcing that rule, if you have it in place, you may want to consider talking to the district manager, or head office.

I can't speak for Anixter, as I have rarely ever dealt with them.

Agree
Disagree
Informative
Unhelpful
Funny

Just want to state for the record we have never asked any distributor to limit purchases, require POs etc. I do not want to imply they have ignored our requests.

We probably should put a policy in place, but there are many other things on the to do list, this is low priority.

Agree
Disagree
Informative
Unhelpful
Funny