Home improvement site Houzz has announced that it suffered a data breach in which third-parties gained access to a file containing publicly visible user data as well private account information.
The company explained to users in an email that an unauthorized third-party obtained access to a file containing internal account information such as user IDs, email addresses, one-way encrypted passwords, IP addresses, city and zip codes and user's Facebook information.
At this time, it is not clear as to whether Houzz's data was stolen through a hacked system, unsecured database or files or even by an employee. The company has also failed to disclose how this data was used or if it had been distributed or sold on any hacking forums.
- Breaking the credential reuse cycle
- Half of malicious emails tied to credential phishing
- New 'collection' data dump contains 2.2bn usernames and passwords
All we do know is that in late December of last year, Houzz was informed that a file containing their data was in the possession of third-parties and that the company had hired a forensics firm to find out exactly how the data was stolen.
Credential stuffing
According to a security notice sent out by Houzz, we know that information from user profiles including names, city, state, country and profile description was obtained by third-parties.
Fortunately though, no payment information or social security numbers were part of the data breach.
However, armed with email addresses and encrypted passwords, hackers could decrypt them and utilise Houzz user credentials in credential stuffing attacks where attackers try leaked user names and passwords on other sites to see if the same login information was used.
Users affected by the Houzz data breach should change their passwords immediately and consider using a password manager in the future.
- We've also highlighted the best antivirus to help keep your systems safe online
