A MySQL database dump and customer CSV from Havenly, the Denver-based online interior-design platform, is circulating on dark-web forums. The combined data covers roughly 1.7 million users and includes bcrypt-hashed passwords, names, phone numbers, ZIP codes, and Stripe customer IDs.
The SQL dump is the more interesting half. The schema reveals usernames, full names, email addresses, bcrypt password hashes, phone numbers, ZIP codes, Stripe customer IDs, Facebook OAuth IDs, referral data, subscription state, and account metadata. The companion CSV contains user IDs, email addresses, first and last names, account creation timestamps, addresses, and lifetime-value figures pulled from internal analytics.
Bcrypt blunts the worst case
Like the recent DataCamp dump, the password storage choice on Havenly's part has done its job. Bcrypt is slow enough that an attacker would need to be highly motivated and well-resourced to recover any meaningful number of plaintext passwords. The bigger concern is the metadata: a verified pairing of name, email, address, and Facebook OAuth identifier across a single household-services platform is the kind of data that powers convincing phone or text scams about delivery, return, or design-consultation status.
If you used Havenly during the period the dump covers, rotate the password and disconnect any third-party OAuth links that you no longer use. The dataset is searchable here.