from the talk-about-unwanted-houzz-guests dept.
The housing design site Houzz.com suffered a breach in 2018 that exposed, for 49 million users:
Certain publicly visible information from a user's Houzz profile only if the user made this information publicly available (e.g., first name, last name, city, state, country, profile description)
Certain internal identifiers and fields that have no discernible meaning to anyone outside of Houzz (e.g. country of site used, whether a user has a profile image)
Certain internal account information (e.g., email address, user ID, prior Houzz usernames, one-way encrypted passwords salted uniquely per user, IP address, and city and ZIP code inferred from IP address) and certain publicly available account information (e.g., current Houzz username and, if a user logs into Houzz through Facebook, the user's public Facebook ID)
The company learned of the breach in December and notified users in February.
User passwords were reset at that time and the company published an FAQ on their website.
Data on this was has now been provided to that site we all love to check, HaveIBeenPwned
As of this submission - The breach is listed on HaveiBeenPwned's RSS feed here but the breaches page of pwned websites does not yet list it.
[Are there any Soylentils who have NOT had private information leaked/breached? From a different perspective, how many times has your data been pwned? What, if anything did/could you do about it? -Ed.]
(Score: 2) by MichaelDavidCrawford on Thursday March 14 2019, @04:10AM (1 child)
That's the _specific_ reason I regard single sign-on as morally reprehensible. I never ever ever sign on with Facebook nor Twitter; if as with Medium I have no other choice then I do not sign in at all.
That right there - the correlation of my nick among multiple websites - as my Line In The Sand that simple must not be crossed.
It's not like my own nick is any manner of national defense secret but there are a great many people for which their own nicks really are: concerns of national security, in the specific cases of political activists such as Occupy Wall Street enthusiasts.
I remain puzzled as to how to convince their sorry lot how to stop organizing through Facebook and Gmail. That's just like delivering themselves personally to the Manhattan Borough Jail.
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Informative) by Anonymous Coward on Thursday March 14 2019, @09:32AM
Just to clarify, it's the Manhattan Detention Complex. More popularly known as The Tombs [wikipedia.org].
You left coasters just don't understand New York. Just sayin'...
(Score: 0) by Anonymous Coward on Thursday March 14 2019, @01:01PM
There was Aetna. There was that company, the name of which I forget, which isn't Experian or Transunion. Then I got a notice about some settlement for a data breach which involved Experian and T Mobile. That was weird, since I don't recall ever doing any business with T Mobile. An adult site leaked my user ID and email address. (A different adult site once sent me an email which contained another user's ID and their email address.) Those are the only ones I can think of at the moment.
(Score: 0) by Anonymous Coward on Thursday March 14 2019, @03:42PM (3 children)
would it have been so hard to write what "Houzz" is? I never heard of it until the article here.
all the other details were meaningless because they had no discernable meaning to me having not used Houzz.
(Score: 0) by Anonymous Coward on Thursday March 14 2019, @04:16PM (2 children)
You do realize that the first sentence of TFS begins with:
Are we now not even reading TFS and just going by the headline?
(Score: 0) by Anonymous Coward on Thursday March 14 2019, @07:38PM (1 child)
I had never heard of the site, and supposedly they have "49 million users"?
Just like "Ashley Madison", I guess.
(Score: 1) by RandomFactor on Thursday March 14 2019, @08:02PM
I had never heard of them either, yet they have information on ~1/7th of the U.S.?
I decided why ask why and ignored that.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Thursday March 14 2019, @10:42PM
AC accounts can't be pwned. Sites which don't allow anonymous input don't get input. Sites I really need logins for get a unique password. I use a sensible, local password vault.
Surely some of the forum accounts have been pwned but that's not 'me' as there's no data about me beyond already-public forum posts, no user access credentials beyond that particular forum.
Locally, also no pwns. Home network is walled off with openbsd/pf. Sensible noscript/adblock/requestpolicy rules (read: default reject all).
So far the real attack surface, for me, is government agencies. My tax records are only as secure as our gov tax system. But that level of system, I have no control over.
Work has been pwned - someone internal running windows did something or other, and we got some mild nasties - but my machines weren't.