The home remodeling and design platform Houzz informed customers that it suffered a data breach that exposed some personal information

The popular home design platform Houzz has suffered a data breach that exposed some personal information.

Houzz has over 40 million monthly unique users, at the time is not clear how many individuals are affected.

The company learned in late December that of an unathorized access to its user data and started notifying its users.

The company discovered that a file containing user data was obtained by an “unauthorized third party.”

“Houzz recently learned that a file containing some of our user data was obtained by an unauthorized third party. The security of user data is our priority. We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts. We have also notified law enforcement authorities.” reads the data breach notification published by the company.

“Out of an abundance of caution, we have notified all Houzz users who may have been affected.”

The company is investigating the issue to discover how hackers obtained the data, it notified law enforcement and hired a forensics firm to assist it.

The file obtained by the unauthorized third party included information such as name, city, state, country, description and also some internal identifiers used by Houzz systems

The company revealed that exposed data also included usernames, password hashes, IP addresses, and user’s Facebook ID in case the users accessed to the platform through Facebook.

Hackers did not access social security numbers or financial information.

The company suggest users reset the password and revealed that it uses a unique salt for each password.

“You may reset your password at https://www.houzz.com/changePassword. Please note that in order to reset your password, you will need to have access to the email address that is associated with your Houzz profile.” continues the notification.

“We do not believe that any passwords were compromised because we do not actually store passwords except in a one-way encrypted form that is salted uniquely per user. However, we recommend changing your password on any other sites or accounts where you used the same login information that you used for Houzz. It is generally best practice to use a unique password for each service.”

https://threatpost.com/houzz-data-breach/141426/

The decorating website said that account usernames, passwords and more have been compromised as part of a breach.

Interior decorating website Houzz on Friday issued a notice that user data – including usernames, passwords and IP addresses – had been accessed by an “unauthorized third party.”

Houzz connects consumers to varying home-goods departments or professionals for purchasing furniture. The Palo Alto, Calif.-based company said that a rogue third-party had obtained a file with the user data.

That data includes internal account data like user ID, prior Houzz usernames, one-way encrypted passwords (salted uniquely per user), IP address, and city and ZIP code inferred from IP address. Also accessed was publicly visible info from a user’s Houzz profile (first name, last name, city, state, country, profile description). If users had logged into Houzz using Facebook, the user’s public Facebook ID was exposed as well.

“Houzz recently learned that a file containing some of our user data was obtained by an unauthorized third party,” the company said in an alert on its website. “The security of user data is our priority. We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment and remediation efforts. We have also notified law enforcement authorities.”

Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

User Social Security numbers, payment cards, bank accounts and other financial information were not impacted. Houzz said that it learned about the incident in late December, but it didn’t say how long the third party had access to the file for.

The company said that not all Houzz users were impacted by the incident.

When asked specifically how many Houzz customers were impacted and what the root cause of the breach stemmed from, a Houzz spokesperson told Threatpost: “Because the investigation is still ongoing, the best information we are able to provide has already been covered in the FAQ.”

In the email to impacted customers, Houzz urged them to change their passwords in their account settings.

Tim Erlin, vice president of product management and strategy at Tripwire, said that the breach highlights the risks of password reuse.

“While it might not be clear how this sensitive data was obtained, this is a good example of the risks of password reuse,” he said in an email. “If you used the same password for your Houzz account that you used for a more sensitive account, then you’ve put that more sensitive account at risk as well. Using unique passwords is a good way to protect yourself from this type of risk. Using multi-factor authentication is another way to reduce the risk. The internet is all about connection, and sometimes those connections work to the advantage of attackers.”

The breach is only the latest security incident so far in January – Discover Financial, IT management giant Rubrik, Airbus, the City of St. John in New Brunswick, Canada and the State Bank of India have all reported data exposures. Separately this week, 2.2 billion records were discovered on the Dark Web as part of a data dump that’s being called “Collections #2-5.”