Breach, Threat Management, Data Security

We must protect this Houzz: Home improvement website discloses breach

Home improvement and design website Houzz has publicly disclosed a data breach after discovering late last year that an unauthorized third party had obtained a file containing user data.

An FAQ page published on today says that the compromised information falls under three categories:

  • Profile information such as names, addresses, countries and descriptions, but only if the user already made this data publicly available.
  • Identifiers and fields intended for internal use that would "have no discernible meaning" to external parties.
  • Public and internal account information, including user IDs, past and present usernames, one-way encrypted passwords (salted uniquely per user), IP addresses, and Facebook IDs (if the user logs on to Houzz via Facebook).

Financial information and Social Security numbers were not affected.

Houzz's public disclosure says the breach was exposed in late December 2018, but it does not indicate when the incident actually transpired, how the breach occurred, or how it was uncovered. "Our security team has a number of ways to learn about potential security vulnerabilities, including our own active methods and third-party reporting," the FAQ page explains.

In response to the incident, "We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts. We have also notified law enforcement authorities," the FAQ page continues. The company also reached out to potentially impacted users and advised them to change their passwords.

"While it might not be clear how this sensitive data was obtained, this is a good example of the risks of password reuse," said Tim Erlin, vice president at Tripwire, in emailed comments. "If you used the same password for your Houzz account that you used for a more sensitive account, then you’ve put that more sensitive account at risk as well."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.