Home design website and community Houzz revealed that a security incident might have exposed some users' personal and account data.
On 1 February, Houzz published a
security update explaining that it detected the security event in late December 2018. The company didn't provide exact details about how it learned of the incident. It simply stated that its "security team has a number of ways to learn about potential security vulnerabilities, including... active methods and third-party reporting."
After discovering the incident, Houzz hired a forensics firm to assist in its investigation of and response to what happened. This joint effort uncovered that the event involved an unauthorized third-party actor who gained access to a file containing some of the company's user data. According to the security update, this file might have contained users' publicly available information like their name and address, several internal identifiers used by Houzz and account data including usernames, IP addresses and one-way encrypted passwords that were previously salted.
The home design website clarified that it doesn't believe the security incident exposed any passwords. Even so, it's recommending that users change their passwords out of an abundance of caution.
Houzz noted that its investigation into this instance of unauthorized data access is currently ongoing:
We continue to investigate the incident both with our internal team and with a leading forensics firm. We have also notified law enforcement authorities. Protecting our users’ data is our priority, and we have already taken actions to help safeguard their data.
Users would be wise to heed Houzz's recommendation and change their passwords. To do so, they should visit https://www.houzz.com/changePassword. They'll need access to the email accounts which they used to first create an account on that website. From there, they should use these expert tips to protect their accounts with a strong password. Users might also consider changing their passwords on other websites if they reused the same credential set which this incident might have exposed.
