Home improvement site Houzz has announced a data breach affecting an unspecified number of customers, but claimed that follow-on identity theft is “highly unlikely.”
The firm — which claims to have over 40 million homeowners, home design enthusiasts and home improvement professionals on its books — said it learned about the incident in late December 2018.
However, a Houzz spokesperson clarified to Infosecurity:
“We have complied with our reporting obligations under GDPR by notifying the UK ICO within the period required by GDPR. We also have voluntarily notified users out of an abundance of caution.”
The California-headquartered business said an unauthorized third party gained access to a file containing user data.
This included: user ID, prior Houzz user names, one-way encrypted passwords “salted uniquely per user,” IP address, and city and postcode inferred from IP address. Also exposed in the breach were publicly available account details like Houzz user name and/or Facebook ID.
Finally, if the user had made the following info publicly visible, then first name, last name, city, state, country and profile description could also be compromised.
The firm claimed not all customers were affected but did not disclose the number. It has emailed those who may have been affected “out of an abundance of precaution” asking them to reset their passwords.
“We do not believe that any passwords were compromised because we do not actually store passwords except in a one-way encrypted form that is salted uniquely per user,” it added. “However, we recommend changing your password on any other sites or accounts where you used the same login information that you used for Houzz. It is generally best practice to use a unique password for each service.”
No financial information or, in the US, Social Security numbers, were taken, according to the firm.
Tripwire VP, Tim Erlin, also urged users to change their log-ins.
“If you used the same password for your Houzz account that you used for a more sensitive account, then you’ve put that more sensitive account at risk as well,” he argued. “Using unique passwords is a good way to protect yourself from this type of risk. Using multi-factor authentication is another way to reduce the risk. The internet is all about connection, and sometimes those connections work to the advantage of attackers."