- Profile information such as names, addresses, countries and descriptions, but only if the user already made this data publicly available.
- Identifiers and fields intended for internal use that would "have no discernible meaning" to external parties.
- Public and internal account information, including user IDs, past and present usernames, one-way encrypted passwords (salted uniquely per user), IP addresses, and Facebook IDs (if the user logs on to Houzz via Facebook).
In response to the incident, "We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts. We have also notified law enforcement authorities," the FAQ page continues. The company also reached out to potentially impacted users and advised them to change their passwords.
"While it might not be clear how this sensitive data was obtained, this is a good example of the risks of password reuse," said Tim Erlin, vice president at Tripwire, in emailed comments. "If you used the same password for your Houzz account that you used for a more sensitive account, then you’ve put that more sensitive account at risk as well."