Houzz Advises Users to Reset Their Passwords Amid the Latest Data Breach

Houzz Data Breach

The fact that data breaches are so common nowadays doesn't make them any more pleasant. For both users and service providers, the effects of these incidents can be pretty severe. The amount of damage depends, however, on a number of factors including how much data was stolen, how the attackers got it, how the vendor responded, etc. On Thursday, Houzz, an online platform for interior design and architecture enthusiasts, admitted that intruders had accessed a file that contained some user data. Let's see how bad it was.

Breaking the news

It all started when users took to social media and shared the emails they had received from the home renovation website. This, in and of itself, shows that Houzz's approach was less than ideal. People were tweeting not because they were proud that they might have had their data exposed. They were doing it because they weren't sure whether the messages were genuine.

Houzz opted not to publish a press release detailing the incident which probably wasn't the best decision in the world. The only thing users could rely on was an FAQ page in the Help section of Houzz's website.

Disclosing the details

The FAQ page gives us an idea of the nature of the stolen information. Houzz users can control the visibility of things like their names, home cities, etc. The hackers managed to steal these details from people who had opted to leave them public. Data that is not immediately visible were also compromised. This includes the user's username, their IP address and the geolocation which, Houzz says, is estimated based on the IP, as well as unimportant stuff like whether or not the person has a profile picture.

Hackers didn't steal any financial information, but they did manage to make off with some passwords. According to Houzz, however, they were "one-way encrypted" and "salted uniquely per user". It would be interesting to know whether "one-way encrypted" means "hashed", and if it does, it would also be interesting to learn what the hashing algorithm was. Sadly, Houzz has opted not to publicly disclose this information.

A few other pieces of the puzzle are missing as well. In fact, the company is fairly tight-lipped. It won't say how the hackers got in, and although it claims that not all of its 40 million users were exposed, it won't quote the exact number of affected individuals.

Houzz says that it's not sharing these details because of the ongoing investigation. The said investigation started last year.

Houzz first discovered the breach in December

The FAQ page states that Houzz has known about the incident since "late December". Upon seeing the exfiltration of data, the company immediately informed law enforcement and hired some security experts who stopped the attackers and got everything back under control. Houzz decided not to say why it kept the breach under wraps for a month.

All in all, we're not talking about the worst data breach the world has ever seen. No financial information was lost, and by the looks of things, users' passwords are safe. Nevertheless, we mustn't overlook the fact that Houzz's response was not perfect.

February 4, 2019

Leave a Reply