Skip to main content

Houzz suffers a data breach, asks users to reset password

Image used with permission by copyright holder

Home improvement startup Houzz suffered informed its users on Thursday, January 31, that it suffered a data breach. The company has not provided details about the occurrence but contacted its users to encourage them to change their passwords as a precautionary measure to prevent accounts from being compromised.

Houzz informed its users of the breach via email, and additional details are available on the company’s website. According to the company, a file containing user data was obtained by an “unauthorized third party.” Houzz did not go into detail as to how the company was breached. It said that it is currently investigating the situation, with its internal team and a “leading forensics firm” looking into the specifics.

The company also failed to lay out what user information has been compromised. Instead, it details what data “could have been” impacted by the incident. Potentially exposed information includes publicly visible information on Houzz user profiles including names, locations, and personal descriptions; internal identifiers that Houzz uses to classify its users; and encrypted passwords, IP addresses, and ZIP codes. Houzz did emphasize that information including Social Security numbers and payment information was not compromised.

If the information that may have been compromised, passwords are the most concerning. The company said that user passwords are scrambled and salted (which adds additional characters to a stored password to make it harder to decipher) but did not detail what hashing algorithm it uses to protect passwords. It’s hard to say just how secure those stolen passwords are, so it is probably best to heed the company’s advice and change yours if you have a Houzz account.

Houzz said it first learned of the breach in late December 2018. While the company said it “immediately engaged with a leading forensics firm” to look into the incident, but it didn’t inform users until Thursday. Not all users were affected and Houzz specifically contacted those it believes were impacted.

If you are a Houzz user, you can reset your password by visiting the company’s “change password” page. Log in with your email address to change the password. You may also want to consider changing the passwords on other accounts that use the same login information.

Editors' Recommendations

AJ Dellinger
AJ Dellinger is a freelance reporter from Madison, Wisconsin with an affinity for all things tech. He has been published by…
Facebook faces another huge data leak affecting 267 million users
mark zuckerberg speaking in front of giant digital lock

More than 267 million Facebook users’ IDs, phone numbers, and names were exposed to an online database that could potentially be used for spam and phishing campaigns. 

Security researcher Bob Diachenko uncovered the database, according to Comparitech. The database was first indexed on December 4, but as of today, December 19, it is unavailable. Comparitech reports that before the site was taken down, the database was found on a hacker forum as a downloadable file. 

Read more
OnePlus customer data stolen in second data breach in two years
oneplus 7t macro lens iphone 11 lacks cameras

Phone company OnePlus has suffered another data breach, with an undisclosed number of customer names, contact numbers, email addresses, and shipping addresses stolen by an unnamed hacker or group.

This comes less than two years after up to 40,000 customers' private information was stolen from OnePlus, leading to credit card fraud using customers' details. In this case, the breach only came to light when the issue of credit card fraud was raised by a user on the OnePlus forums. An investigation subsequently discovered a malicious script had been gobbling up customer credit card details when they were entered into the OnePlus website.

Read more
Lawsuit alleges Equifax’s stupid password made it super-easy to steal your data
cfpb investigation equifax hack headquarters

Remember that epic Equifax hack from 2017? As it turns out, the company made it pretty easy for hackers to get in. A recent filing in the United States District Court for the Northern District of Georgia, Atlanta Division points out a few of the company’s missteps that might have led to the breach.
The first of those issues comes in the form of the password the company users to protect a portal used to manage credit disputes. While you might think a major company holding personal information like people’s names, addresses, and social security numbers might use an exceptionally secure password in that instance, it actually went for something a different: It used “admin” as both the username and password for the portal.
Not exactly the most secure move.
If the shoddy password wasn’t enough, the company also stored unencrypted user information on a public-facing server. That meant that any attacker that compromised the website’s server would immediately have access to all the personal information stored on it, with no additional work required.
The website also wasn’t the only thing it left unencrypted. The company also failed to encrypt its mobile applications, so not only was it keeping sensitive data unencrypted on its own server, it was transmitting that data unencrypted over the internet.
When it did finally encrypt that data, it “left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”
The court filing suggests that the inadequacies in Equifax’s encryption protocol fell short of industry standards and data security laws, going as far to say that the company “did not know what they were doing with respect to data security.”
The hack on Equifax in 2017 reportedly impacted approximately 147 million people, exposing their personal information and social security numbers.
As part of a settlement from the incident, Equifax is paying more than $300 million toward credit monitoring services for the impacted customers. It’s also compensating customers who paid out-of-pocket expenses as a result of the breach.
If you were impacted, you can apply to receive credit monitoring services or a $125 settlement via Equifax’s site now.

Read more