Bringing the Houzz down: Home design website tells users to reset passwords after copping to breach

Logins, IP address, personal data and the kitchen sink at risk

Home improvement website Houzz has urged users to reset their passwords after an "unauthorised third party" made off with a file containing customer data.

The Californian biz, founded in 2009 and valued at almost $4bn in 2017, is a bartering marketplace and, er, ideas platform for interior designers, architects, traders and home owners.

It said it discovered the incident in "late December" and had been working with "a leading forensics firm" since then.

An email to customers, sent in the early hours of 1 February UK time, stated: "Houzz recently learned that a file containing some of our user data was obtained by an unauthorized third party."

It offered no further details of how the incident occurred, and a separate FAQ on its website added little more, saying only: "Our security team has a number of ways to learn about potential security vulnerabilities, including our own active methods and third-party reporting. The investigation is ongoing."

Neither did the firm disclose how many users had been affected. It said not all had been exposed, but "out of an abundance of caution" it had notified all those who might have been. We've asked Houzz for more details. It claims to have "40 million homeowners, home design enthusiasts and home improvement professionals" signed up.

The email seen by The Register said that it did not "believe" that the recipient's password was compromised, but recommended resetting it as a precaution.

However, Houzz did say that one-way encrypted passwords, salted uniquely per user, could have been leaked along with user ID, prior Houzz usernames, IP address, and city and postcodes inferred from IP addresses.

Houzz data breach email screenshot

Houzz email, received at 1:25am (GMT) Friday 1 February. Click to enlarge

Other deets that the miscreant(s) may have access to included some publicly available account information, such as current Houzz username and – if the user logs in through Facebook – that person's public Facebook ID.

This is in addition to further "internal identifiers and fields" that Houzz said confidently would "have no discernible meaning to anyone outside of Houzz". As examples in this category it gave "country of site used, whether a user has a profile image".

Info a person made public on the Houzz site, such as their name and city or state location, is also listed as at risk.

But the company emphasised that social security numbers, payment cards, bank account and other financial details were not affected. It said it was "highly unlikely that your identity could be stolen as a result".

Houzz was this week reported to have laid off 110 people in the UK and Germany, and 70 in the US – from a total staff of just 1,800 – possibly ahead of a much speculated IPO.

The firm said it had contacted law enforcement authorities. We have contacted the UK's data protection watchdog, the Information Commissioner's Office, to confirm that. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2021