Cyber Incident Victim: Houzz
Date:
Dec 2018
Location:
United States of America
Summary
Houzz experienced a data breach involving unauthorized access to a file containing user information, prompting password reset notifications for affected accounts. The compromised data potentially included public profile details such as names, locations, and personal descriptions, alongside internal identifiers, encrypted passwords with salting, IP addresses, and ZIP codes. The company confirmed Social Security numbers and payment information were not exposed. After detecting the incident, the firm initiated an investigation with external forensic experts but delayed user notifications for approximately a month. Impacted individuals were advised to change their credentials as a precaution despite password encryption measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late December 2018, Houzz detected unauthorized access to a file containing user data by an external party. The home improvement platform initiated an investigation involving its internal security team and a third-party forensics firm but did not publicly disclose the incident until notifying affected users via email on January 31, 2019. The company confirmed the compromised file contained multiple categories of user information but provided no technical details regarding the breach methodology or attacker identity. Potentially exposed data included public profile elements such as user names, geographic locations, and biographical descriptions; internal Houzz identifiers used for account classification; and technical records comprising encrypted passwords with salt protection, IP addresses, and ZIP codes. The company explicitly stated financial data and Social Security numbers remained unaffected.
Houzz implemented password resets for impacted accounts through its website portal while maintaining that encrypted credentials reduced immediate misuse risks, though it omitted specifics about its hashing algorithms. The month-long delay between breach discovery and user notification occurred during the forensic examination phase. Communications emphasized targeted outreach only to users whose data appeared in the exposed file, without disclosing total affected accounts or geographic distribution. No evidence suggested operational disruptions to Houzz services beyond the credential reset recommendations. The investigation remained ongoing at the time of public disclosure with no subsequent updates documented in the available source material.