Cyber Incident Victim: Havenly

Havenly, a Denver-based interior design marketplace, disclosed a data breach on August 3, 2020, following the leak of 1.3 million user records by the threat actor ShinyHunters. The breach occurred when ShinyHunters publicly released the stolen database on a hacker forum as part of a larger dump involving eighteen companies and over 386 million user records. Nine of these databases, including Havenly’s, were newly released at the time, while the remaining nine had been previously leaked by the same actor. The compromised data included login names, full names, MD5 hashed passwords, email addresses, phone numbers, zip codes, and other unspecified user information. Havenly became aware of the incident after BleepingComputer reported ShinyHunters’ forum activity involving multiple company databases. The company confirmed no full credit card details were exposed, as it only stored the last four digits of cards in some cases, which it stated were insufficient for fraud.

In response to the breach, Havenly initiated a forced password reset for all existing customers, logging them out of their accounts and requiring new credentials upon next login. The company notified affected users via email, acknowledging the incident and its engagement with external security experts to investigate. It advised customers to change passwords on other platforms where they reused Havenly credentials to prevent credential stuffing attacks. Users were directed to the Have I Been Pwned service to verify if their data was compromised. Havenly emphasized its commitment to security but provided no specifics on the breach’s timeline, intrusion methods, or whether systems were fully secured post-incident. The disclosure highlighted the exposure of personal identifiers while downplaying financial risks due to limited card data storage. No system downtime or operational disruptions were reported in the announcement.