[BreachExchange] Houzz Break-In: Data Breach Announced

Destry Winant destry at riskbasedsecurity.com
Mon Feb 4 07:30:12 EST 2019


https://www.bleepingcomputer.com/news/security/houzz-break-in-data-breach-announced/

The home improvement site Houzz announced a data breach this week
involving third-parties gaining access to a file that contains
publicly visible user data as well as private account information.

In an email sent to affected users, Houzz stated that an unauthorized
third-party gained access to a file containing both publicly available
information as well as internal account information such as user IDs,
email address, one-way encrypted passwords, IP addresses, city and zip
codes derived from IP addresses, and Facebook information.

Based on the FAQ, it appears that Houzz's data was stolen at some
point, but it is not known if it stolen through a hacked system,
unsecured database or files, or by an employee.

It was also not disclosed how this data was being used or if it was
distributed or sold on underground hacking forums. All that we know is
that in late December 2018, Houzz was told that a file containing
their data was in the hands of third-parties and that they hired a
forensics firm to determine how the data was stolen.

According to the security notice, the file contained the following data:

Certain publicly visible information from a user’s Houzz profile only
if the user made this information publicly available (e.g., first
name, last name, city, state, country, profile description)
Certain internal identifiers and fields that have no discernible
meaning to anyone outside of Houzz (e.g., country of site used,
whether a user has a profile image)
Certain internal account information (e.g., email address, user ID,
prior Houzz usernames, one-way encrypted passwords salted uniquely per
user, IP address, and city and ZIP code inferred from IP address) and
certain publicly available account information (e.g., current Houzz
username and, if a user logs into Houzz through Facebook, the user’s
public Facebook ID)

Houzz has stated that no payment information or social security
numbers were part of this breach.

"Importantly, this incident does not involve Social Security numbers
or payment card, bank account, or other financial information."

While payment information was not disclosed, email address and
encrypted passwords were. Depending on the type of encryption used to
encrypt the passwords, it is possible for attackers to decrypt them so
that they can be used in other attacks.

Armed with a decrypted password and an email address, attackers can
use this information to try and login to other sites using the same
credentials in what is a called a credential stuffing attack. If the
user used the same login information at another site, then the
attackers would be able to gain access to that site as well.

Therefore, it is not only important for affected users to change their
password at Houzz, but they should also change their passwords at
other sites where they used the same one. It is also strongly
recommended that password managers are used to create unique passwords
at each site that an account is created.

BleepingComputer has contacted Houzz for more information regarding
this breach, but has not received a response by the time of this
publication.


More information about the BreachExchange mailing list