Skip to Content
Security & Privacy

Popular home improvement site hacked – is your personal information at risk?

Pardon me if this may sound like it’s coming from a broken record, but here we go again – another day, another data breach.

From government agencies, airlines, hotels, retail chains and restaurants to unsecured databases, information theft is so commonplace nowadays that it’s no longer a question of “if” a company is going to get hit – it’s a question of “when.”

This time it involves one of the most popular home improvement sites around called Houzz.

Now, if you have a Houzz account and have used its services, you better read on and see how this latest breach can affect you.

Houzz data breach

Home improvement site Houzz recently announced that it has suffered a data breach as third parties have gained unauthorized access to a file that contains user data.

What is Houzz, you might ask? It is a website and online community that caters to homeowners, home design aficionados and home improvement professionals. Among its tools is a marketplace where home improvement companies can advertise and sell their services through its platform.

The company said it discovered the data breach in late December 2018 but it is still unclear if the file was accessed through a hacked system, a rogue employee or through an unsecured database.

Houzz also claims that not all of its customers are affected but it has not revealed the actual number of accounts compromised.

Note: Houzz claims it has over 40 million users.

The information involved in the breach includes:

  • User IDs
  • Publicly available information from a Houzz user profile (first name, last name, city, state, country, profile description)
  • Email addresses
  • One-way encrypted passwords “salted” uniquely per user
  • IP address
  • City and ZIP code derived from the IP address
  • Whether a user logs in via Facebook
  • User’s Facebook ID

Houzz claims the breach does not involve financial information or Social Security numbers.

Additionally, although the “salted” passwords were compromised, Houzz says actual user passwords were not compromised.  Note: A “salt” is randomly generated data used in password encryption.

However, as a precaution, it is advising its users to reset their passwords by visiting https://www.houzz.com/changePassword or by going to their account settings.

Houzz has also started email notifications informing its users about the data breach. Here’s what the email looks like:

Due to the incident, the company is now taking further steps to improve its security. Aside from its internal investigation, Houzz has informed law enforcement and has retained the services of a leading security forensics company to look into the matter.

Beware of password reuse attacks

Financial information may not be involved in this data breach but don’t let your guard down, it can still put your other accounts at risk. How? Email addresses, usernames and old passwords can still be used for a technique called “credential stuffing.”

Although the passwords were “salted” versions, depending on the strength of Houzz’s encryption system, there’s a possibility that the hackers will be able to decrypt the passwords.

Combined with other stolen information, someone can then feed these credentials to an automated program that will try them all out on various websites, hoping that people have reused their passwords on multiple services.

Even if you’ve reset your Houzz password, if you reused the same email and password combination on another service, it can also be compromised.

Aside from that, IP addresses and ZIP codes can be combined with other sensitive information from other data breaches (Social Security numbers from the Equifax breach, for example).

With this data, cybercriminals can round off complete individual profiles that can be then used for identity theft.

What now?

To protect yourself from the inevitable fallout of this data breach, here are some suggestions:

  • Beware of phishing scams – Scammers will try and piggyback on huge breaches like this. They will create phishing emails, pretending to be the affected company, hoping to get victims to click on malicious links that could lead to more problems. Take our phishing IQ test to see if you can spot a fake email.
  • Have strong security software – Protecting your gadgets with strong security software is important. It’s the best defense against digital threats.
  • Check your other online accounts – As usual, if you suspect that you’ve used your Houzz password on other sites, it’s a good time to review all your online credentials. This is also a good reason why you should never ever reuse the same password for multiple online services and websites. Click here for new ways to come up with a secure password.
  • Enable 2FA -Additionally, if you haven’t done it yet, check your services if they support two-factor authentication (2FA) and enable it. 2FA gives you an extra layer of security that will help keep your accounts safe.
  • Keep an eye on your bank accounts – You should be frequently checking your bank statements, looking for suspicious activity. If you see anything that seems strange, report it immediately.
  • Close your unused accounts – And while you’re at it, better close old accounts that you rarely use. Here’s an online tool that will help you do just that.

Bonus: Get home title protection

No identity theft protection, homeowner’s insurance or bank protects you. For pennies a day, our sponsor Home Title Lock does. The instant they detect anyone tampering with your title, they’re on it. You need to check right now to see if you’re already a victim. 

Go to HomeTitleLock.com and register for your free title scan and report. That’s a $100 value – free. Go to HomeTitleLock.com

Komando Community background

Join the Komando Community!

Get even more digital know-how and entertainment with the ad-free Komando Community! Watch or listen to The Kim Komando Show on your schedule, read Kim's eBooks for free, and get answers in the tech forums.

Join Now