Home improvement and design website Houzz has publicly disclosed a data breach after discovering late last year that an unauthorized third party had obtained a file containing user data.

An FAQ page published on Houzz.com today says that the compromised information falls under three categories:

  • Profile information such as names, addresses, countries and descriptions, but only if the user already made this data publicly available.
  • Identifiers and fields intended for internal use that would “have no discernible meaning” to external parties.
  • Public and internal account information, including user IDs, past and present usernames, one-way encrypted passwords (salted uniquely per user), IP addresses, and Facebook IDs (if the user logs on to Houzz via Facebook).

Financial information and Social Security numbers were not affected.

Houzz’s public disclosure says the breach was exposed in late December 2018, but it does not indicate when the incident actually transpired, how the breach occurred, or how it was uncovered. “Our security team has a number of ways to learn about potential security vulnerabilities, including our own active methods and third-party reporting,” the FAQ page explains.

In response to the incident, “We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts. We have also notified law enforcement authorities,” the FAQ page continues. The company also reached out to potentially impacted users and advised them to change their passwords.

“While it might not be clear how this sensitive data was obtained, this is a good example of the risks of password reuse,” said Tim Erlin, vice president at Tripwire, in emailed comments. “If you used the same password for your Houzz account that you used for a more sensitive account, then you’ve put that more sensitive account at risk as well.”