Houzz, a $4 billion-valued home improvement startup that recently laid off 10 percent of its staff, has admitted a data breach.
A reader contacted TechCrunch on Thursday with a copy of an email sent by the company. It doesn’t say much — such as when the breach happened, or if a hacker is to blame or if it was a data exposure that the company could’ve prevented.
Houzz spokesperson Gabriela Hebert would not comment beyond an FAQ posted on the company’s website, citing an ongoing investigation.
In that FAQ, the company said it “recently learned that a file containing some of our user data was obtained by an unauthorized third party.” It added: “We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts.”
The company said it was notifying all of its users who may have been affected.
Houzz said some publicly visible information from a user’s Houzz profile could be affected, such as name, city, state, country and profile description, along with internal identifiers and fields “that have no discernible meaning to anyone outside of Houzz,” such as the region and location of the user and if they have a profile image, for example, the company said.
The company also said that usernames and scrambled passwords were also taken.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Houzz said that the passwords were scrambled and salted using a one-way hashing algorithm, but did not provide specifics on what kind of hashing algorithm was used. Some algorithms, like MD5, are old and outdated but still in use, while newer hashing algorithms — like bcrypt — are stronger and can be more difficult to crack, depending on the number of rounds the passwords go through.
Regardless, the company recommended users change their passwords.
No financial information was taken, according to the FAQ.
The company last year was among many mocked for sending out emails to users alerting them of mandatory changes to their privacy policies ahead of the 2018-introduced EU General Data Protection Regulation (GDPR) law, saying it “value[s]” its customers privacy. “Their opening lines offer a glimpse of the way legal policy and user experience are colliding under the new regulations,” said Fast Company.
But it’s not clear if the company will face penalties — up to four percent of its global revenue — as a result of the regulation, only that the company “notified EU authorities within the statutory period,” said the spokesperson.
Another day, another breach.
