Cybersecurity News

Houzz Data Breach – What Really Happened?

The Houzz data breach happened in December 2018. The home improvement start-up firm claims it has over 40 million users. Let’s find more about the Houzz data breach in this article. 

Another day, another breach. This may sound old but yes, another data breach occurred. Cyberattacks get even more common each day. It is so common that “if” is no longer the question to ask. It’s a matter of “when”. Every sector experiences it – from government agencies to small businesses with unsecured databases.

In December 2018, another popular company got victimized again – Houzz. The mentioned company serves in the home improvement industry. 

What is Houzz?

This company is a website and an online community. It offers home improvement services to homeowners. Moreover, they cater services to home design aficionados and professionals. One of its tools is the marketplace. The marketplace enables home improvement companies to advertise and sell their products. The company claims it has over 40 million users.

Houzz Data Breach

The company admitted they suffered a data breach. Their announcement stated that unauthorized third-parties accessed files. Those files contain public visible user data. Yet, it is still unclear if hackers accessed the files through a hacked system. Houzz still didn’t say either if a rogue employee started the breach or a database was left unsecured.

Furthermore, the information involved in the breach includes:

  • IP address
  • User logs in Facebook
  • Email addresses
  • User IDs
  • Public information from a Houzz profile (for instance, name and address)
  • City and ZIP code derived from the IP address

Moreover, the company didn’t reveal whether hackers distributed the data or sold on any hacking forums. Fortunately, no payment information or SSNs were involved in the attack. Moreover, the company said that the actual user passwords were not compromised. Instead, hackers had access to scrambled passwords.

Response On Houzz Data Breach

While hackers didn’t have access to actual passwords, the company recommended its users to change their passwords. The company enables users to do this by visiting the “Change Password” page of their website or going to their account settings.

Furthermore, the company sent email notifications to its users about the breach. The home improvement firm promised its users to improve data security. Moreover, they wrote that they started an internal investigation and engaged with law enforcement. Additionally, they retained a leading security forensics firm regarding the matter. 

Yet, it’s not clear if the company will face penalties.

Users affected by the Houzz data breach should immediately change their passwords. Moreover, consider using a password manager in the future.

Precautionary Steps

As we have mentioned earlier, the company experiencing a data breach is inevitable. Here are some suggestions:

  • Beware of phishing scams – this is one of the most common methods hackers use. Hackers use this method hoping to get victims to click on malicious links. 
  • Install strong security software – it is important to protect your gadgets with strong security software. Keep your antivirus updated. This serves as the best defense.
  • Never reuse the same password for multiple online services.
  • Enable two-factor authentication.
  • Frequently check your bank accounts for suspicious activity. 
  • Close accounts that you rarely use.

Steps In A Security Risk Management Process

As threats become imminent and risks are spreading like fake news, organizations must employ a security risk management initiative. Doing so means following guidelines to effectively create one.

We will discuss the steps in the security risk management process. 

Risk Identification

The first step in the risk management process is to identify the risk.  The source of the risk may be from an information asset, related to an internal/external issue (e.g. associated with a process, the business plan, etc) or an interested party/stakeholder-related risk.

Risk Analysis

Once you know the risks, you need to consider the likelihood and impact. As a result, it allows you to identify between low likelihood and low influence, versus higher ones.

Risk Evaluation

After analyzing the risk, you can then prioritize investments that are needed the most, and conduct reviews based on the LI positioning. You have to document what each position means so that it can be applied by anyone following the method.

The criteria include a range from very low to very high for likelihood. Impact criteria range from very low with insignificant consequences and costs, all the way up to very high being almost certain death of the business. You get the picture. It’s not hard just needs clarity and documenting; otherwise, my 3×4 might be different from yours and we end up back where we started at the top of the page.

Risk Treatment

Treatment of the risk, which is also known as ‘risk response planning’ must include the evidence behind the risk treatment.

Moreover, risk treatment can be work that you are doing internally. That is to control and tolerate the risk.

Also, it could mean the steps you are taking to transfer the risk. Moreover, it could be to eradicate the risk completely.

ISO 27001 is great here too because the Standard also gives you an Annex A set of control objectives to consider in that treatment. As a result, it will form the backbone of your Statement of Applicability.

Monitor And Review The Risk

The initial part of the monitor and review stage of the risk management process is to define your processes for monitoring and review.

This can be separated into the following areas:

Staff Engagement And Awareness

Get appropriate staff involved in the process regularly and have a forum to give and receive feedback.

Management Reviews

Your management reviews have to be at least annual. However, they might not be long enough to drill into each risk.

As such we also recommend a process where the risk owner is tasked to review the review based on its grid position.

For example, a monthly review for a very high probability and very high collision hazard. Whereas annually is fine for reviewing a very low likelihood and very low impact risk.

Then, you can show your auditor that those risk reviews are realistic, based on the impact and likelihood, which they like.


Internal audits and the use of the other mechanisms in clause around development can be nicely associated with the more decisive risk review process too.