The home improvement site Houzz announced a data breach this week involving third-parties gaining access to a file that contains publicly visible user data as well as private account information.

In an email sent to affected users, Houzz stated that an unauthorized third-party gained access to a file containing both publicly available information as well as internal account information such as user IDs, email address, one-way encrypted passwords, IP addresses, city and zip codes derived from IP addresses, and Facebook information.

Houzz Security Notification Email

Based on the FAQ, it appears that Houzz's data was stolen at some point, but it is not known if it stolen through a hacked system, unsecured database or files, or by an employee.

It was also not disclosed how this data was being used or if it was distributed or sold on underground hacking forums. All that we know is that in late December 2018, Houzz was told that a file containing their data was in the hands of third-parties and that they hired a forensics firm to determine how the data was stolen.

According to the security notice, the file contained the following data:

Certain publicly visible information from a user’s Houzz profile only if the user made this information publicly available (e.g., first name, last name, city, state, country, profile description)

Certain internal identifiers and fields that have no discernible meaning to anyone outside of Houzz (e.g., country of site used, whether a user has a profile image)

Certain internal account information (e.g., email address, user ID, prior Houzz usernames, one-way encrypted passwords salted uniquely per user, IP address, and city and ZIP code inferred from IP address) and certain publicly available account information (e.g., current Houzz username and, if a user logs into Houzz through Facebook, the user’s public Facebook ID)

Houzz has stated that no payment information or social security numbers were part of this breach.

"Importantly, this incident does not involve Social Security numbers or payment card, bank account, or other financial information."

While payment information was not disclosed, email address and encrypted passwords were. Depending on the type of encryption used to encrypt the passwords, it is possible for attackers to decrypt them so that they can be used in other attacks.

Armed with a decrypted password and an email address, attackers can use this information to try and login to other sites using the same credentials in what is a called a credential stuffing attack. If the user used the same login information at another site, then the attackers would be able to gain access to that site as well.

Therefore, it is not only important for affected users to change their password at Houzz, but they should also change their passwords at other sites where they used the same one. It is also strongly recommended that password managers are used to create unique passwords at each site that an account is created.

BleepingComputer has contacted Houzz for more information regarding this breach, but has not received a response by the time of this publication.