Houzz announces data breach

Another week, another case of user data slipping into the wrong hands. This time, home improvement site, Houzz, is the centre of data protection attention after an intrusion into documents that hold publically visible user information and private account data.

Contacting affected users via email, Houzz said that a third party had gained unauthorised access to a file containing information that was freely available for public viewing, as well as private data such as Facebook information, user IDs, email addresses, encrypted passwords, city and post codes linked to IP addresses.

While the incident appears to be a case of cyber-theft, the California-based firm has not yet disclosed if the information was taken through an IT hack, a poorly-secured database, or whether an employee had a hand in assisting a third party.

Nor have Houzz said if the data is being used, distributed or sold on shady internet platforms.

The security notice distributed by Houzz said:

  • Certain publicly visible information from a user’s Houzz profile only if the user made this information publicly available (e.g., first name, last name, city, state, country, profile description)
  • Certain internal identifiers and fields that have no discernible meaning to anyone outside of Houzz (e.g., country of site used, whether a user has a profile image)
  • Certain internal account information (e.g., email address, user ID, prior Houzz usernames, one-way encrypted passwords salted uniquely per user, IP address, and city and ZIP code inferred from IP address) and certain publicly available account information (e.g., current Houzz username and, if a user logs into Houzz through Facebook, the user’s public Facebook ID)

No payment details or social security numbers were involved in the breach, Houzz has claimed, stating:

“Importantly, this incident does not involve Social Security numbers or payment card, bank account, or other financial information.”

 


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.