Home Design Company Houzz Reports Data Breach That May Have Exposed Your Personal Info and Data

Home Design Company Houzz Reports Data Breach That May Have Exposed Your Personal Info and Data

Company does not believe sensitive information like Social Security numbers or financial information was affected

February 4, 2019

Did you create an account with Houzz, the home design website and community? Up to 40 million people have done so since 2009 to get home design and improvement ideas. But whether you signed up with email or used your Facebook or Google account to gain access to the site, you should be changing passwords now. Houzz reported that a recent security incident may have exposed your personal data and account data.

What Happened?

Houzz posted a 'security update' on February 1, 2019 giving some information on the breach. In the notice, Houzz states the breach occurred and was detected in December 2018, but no reason was given for the amount of time, more than a month, between the discovery and this notice.

Houzz states that a file containing some user data was obtained by an unauthorized third party and that all affected Houzz users were notified. But no further information was given as to how the breach was detected, stating only that the "security team has a number of ways to learn about potential security vulnerabilities, including [their] own active methods and third-party reporting."

What Data was obtained?

Houzz hired a "leading forensics firm" to help in the investigation into how the breach occurred, which discovered an unauthorized third party gained access to a company file that may have contained users' names, addresses, various internal identifies used by Houzz that have no meaning outside their network, usernames, IP address, and one-way encrypted passwords 'salted' uniquely per user.

The company states that the "incident does not affect sensitive personal information like Social Security numbers or payment card, bank account, or other financial information, so it is highly unlikely that your identity could be stolen as a result."

Change Your Passwords Anyway

According to Houzz, the security breach did not expose any user passwords since passwords are not stored except in one-way encrypted form. Regardless, you should change your passwords for any Houzz accounts anyway. It's not uncommon for future updates regarding security breaches to announce additional data loss, including passwords. To change your password, you will need access to the email address that is associated with the accounts.

Even though it's not a secure practice, many users use the same passwords between various websites, apps and services. Any other login information that is the same as the information used to login to the Houzz website should also be changed as a precaution.

Investigation is Ongoing

Houzz noted that it is continuing the investigation into the breach with its internal team and the hired forensics company. Law enforcement has been notified.

If you have questions

Anyone with questions about this incident or their accounts can contact Houzz directly using this support link.