Houzz Urges Password Resets After Data Breach

The decorating website said that account usernames, passwords and more have been compromised as part of a breach.

Interior decorating website Houzz on Friday issued a notice that user data – including usernames, passwords and IP addresses – had been accessed by an “unauthorized third party.”

Houzz connects consumers to varying home-goods departments or professionals for purchasing furniture. The Palo Alto, Calif.-based company said that a rogue third-party had obtained a file with the user data.

That data includes internal account data like user ID, prior Houzz usernames, one-way encrypted passwords (salted uniquely per user), IP address, and city and ZIP code inferred from IP address. Also accessed was publicly visible info from a user’s Houzz profile (first name, last name, city, state, country, profile description). If users had logged into Houzz using Facebook, the user’s public Facebook ID was exposed as well.

“Houzz recently learned that a file containing some of our user data was obtained by an unauthorized third party,” the company said in an alert on its website. “The security of user data is our priority. We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment and remediation efforts. We have also notified law enforcement authorities.”

Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

User Social Security numbers, payment cards, bank accounts and other financial information were not impacted. Houzz said that it learned about the incident in late December, but it didn’t say how long the third party had access to the file for.

The company said that not all Houzz users were impacted by the incident.

When asked specifically how many Houzz customers were impacted and what the root cause of the breach stemmed from, a Houzz spokesperson told Threatpost: “Because the investigation is still ongoing, the best information we are able to provide has already been covered in the FAQ.”

In the email to impacted customers, Houzz urged them to change their passwords in their account settings.

Tim Erlin, vice president of product management and strategy at Tripwire, said that the breach highlights the risks of password reuse.

“While it might not be clear how this sensitive data was obtained, this is a good example of the risks of password reuse,” he said in an email. “If you used the same password for your Houzz account that you used for a more sensitive account, then you’ve put that more sensitive account at risk as well. Using unique passwords is a good way to protect yourself from this type of risk. Using multi-factor authentication is another way to reduce the risk. The internet is all about connection, and sometimes those connections work to the advantage of attackers.”

The breach is only the latest security incident so far in January – Discover Financial, IT management giant Rubrik, Airbus, the City of St. John in New Brunswick, Canada and the State Bank of India have all reported data exposures. Separately this week, 2.2 billion records were discovered on the Dark Web as part of a data dump that’s being called “Collections #2-5.”

Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

 

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.