Citing an ongoing investigation, the company wouldn’t say how or when the incident occurred.
Online home design biz Houzz revealed late last week that it had been hit by a data breach recently, but didn’t disclose when the incident had occurred or how many people had actually been affected.
“Houzz recently learned that a file containing some of our user data was obtained by an unauthorized third party,” reads the startup’s notice. Some of the most sensitive information that was exposed includes user names, salted and hashed passwords, IP addresses and, for users who logged into Houzz using Facebook, their Facebook IDs.
Additional data in the compromised file included name, surname, city and country, and other details if the users chose to display them publicly in their Houzz profiles. The file also contained internal identifiers that Houzz believes hold zero value for outsiders.
“Importantly, this incident does not involve Social Security numbers or payment card, bank account, or other financial information,” according to the memo by the California-based start-up, which claims to be “a community of more than 40 million homeowners, home design enthusiasts and home improvement professionals”.
Houzz has also sent emails to all users “who may have been affected”, advising them to change their passwords as a precaution. There is no word on how many individuals were impacted, however. Nor did the company disclose how or when exactly the breach had occurred, although it noted that it had sprung into action as soon as it learned about the incident in late December 2018.
“We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts. We have also notified law enforcement authorities,” reads the notice.
“Our security team has a number of ways to learn about potential security vulnerabilities, including our own active methods and third-party reporting. The investigation is ongoing,” said the site.
If you’re a Houzz user, you would be well advised to err on the side of caution and change your password on the site. Additionally, an incident of this kind may have implications beyond the impacted service if you commit the ‘cardinal sin’ of reusing your login credentials across sites, especially when it comes to high-value accounts such as those on financial sites, email providers, or social media. It’s worth making sure that, in addition to being robust, your password is also unique to each of your online accounts. Two-factor authentication, wherever available, provides an additional layer of protection.
written by Tomas Foltyn, ESET We Live Security