In an email to customers sent on Thursday, Houzz said that an "unauthorized third party" gained access to a file containing some customer data. The firm said it discovered the incident in late December and immediately began working with "a leading forensics firm” to investigate the issue.
“Out of an abundance of caution, we have notified all Houzz users who may have been affected,” Houzz said in a security update on its website.
Information possibly obtained
Houzz, which claims to have "40 million homeowners, home design enthusiasts and home improvement professionals" signed up, didn’t provide an estimate of how many users might have been impacted by the breach.
The home improvement startup said Social Security numbers and other financial information weren’t involved in the incident. However, user ID, one-way encrypted passwords, previous Houzz usernames, IP addresses, and city and postcodes inferred from IP addresses could have been leaked.
“We do not believe that any passwords were compromised because we do not actually store passwords, except in a one-way encrypted form that is salted uniquely per user,” the company wrote.
Houzz recommended that users reset their passwords as a precaution.
“We recommend changing your password on any other sites or accounts where you used the same login information that you used for Houzz. It is generally best practice to use a unique password for each service.”
The company said that its investigation into the matter is ongoing and that it has taken steps to safeguard user data.