Users of the app claim they have had their Spotify and bank accounts hacked
The company behind Houseparty, the hugely popular video chat app, has offered a $1 million reward for anyone who can provide evidence that it has become the victim of a smear campaign.
The extraordinary move, announced late on March 30, comes after rumors spread across social media that Houseparty users were being hacked. Some claimed attempts were made to access their Spotify and PayPal accounts from foreign countries after installing the Houseparty app.
Houseparty's Twitter account said: "We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to firstname.lastname@example.org"
Created in 2016, Houseparty is owned by Epic Games, a video game giant worth an estimated $18 billion. It is the company behind the hugely popular game Fortnite, as well as titles including Gears of War and Unreal Tournament. Epic Games bought Houseparty from its creator Life On Air in June 2019.
On March 30, Twitter was flooded with claims, in some cases backed up by accusatory screenshots, that new Houseparty users had witnessed unauthorized access to other online accounts, like Spotify, Netflix and PayPal.
In response to the claims, Houseparty tweeted: "All Houseparty accounts are safe - the service is secure, has never been compromised, and doesn't collect passwords for other sites."
We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to email@example.com.
— Houseparty (@houseparty) March 31, 2020
What's going on with Houseparty?
There are several factors at play here. First, it is worth pointing out that Android users are not able to delete their Houseparty account from within the app. Instead, they are asked to send an email asking for their account to be closed. This is clearly far from ideal — especially as the number of Houseparty downloads recently surged from 130,000 a week to two million, according to Apptopia.
iPhone users are able to delete the Houseparty app, by tapping on the face icon in the top left, then the red cog icon, then by tapping on Privacy. Users are then asked to enter their Houseparty password to confirm the permanent deletion of their account, which is standard practice among many social media apps.
Despite reports of the Houseparty app then telling users their password is wrong, GearBrain was able to delete an account on an iPhone without issue.
All Houseparty accounts are safe - the service is secure, has never been compromised, and doesn't collect passwords for other sites.
— Houseparty (@houseparty) March 30, 2020
The hacking claims are likely due to credential stuffing
While we cannot yet say with absolute certainty what is going on with Houseparty, it is looking increasingly likely that this is an example of poor password use and credential stuffing. This is where a password and email address used to log into a service that has previously been the victim of a data breach — such as Adobe, Yahoo, MySpace and countless others — is used again by its owner for something else.
The stolen usernames and passwords are obtained (or bought) by cybercriminals, who then try to log into other online services with them. This is because many people use the same password repeatedly across the web, so hackers know that with enough attempts they'll find a password that lets them into several accounts belonging to the same person. If the person doesn't have two-factor authentication (2FA) turned on for these accounts, the hacker will be granted instant access.
"Hackers use credential stuffing attacks, using passwords scooped up from previous security breaches, in an attempt to break into many, many accounts at the same time," cybersecurity expert Graham Cluley told GearBrain.
Another example of credential stuffing is the launch of Disney+ last November, where customers complained that their brand new accounts were quickly compromised. This was attributed to subscribers using passwords and email addresses that had previously been compromised, and were known by hackers.
To understand how common data breaches are, visit https://haveibeenpwned.com/ and enter your email address. If it has appeared in a stolen database, this website will tell you. In that case, you should change your passwords and start using a password manager to create strong passwords and save them for you.
The website tells you if your email address has been caught up in a data breachGearBrain
What do cybersecurity experts think?
But when it comes to Houseparty, Cluley can't pinpoint exactly what may have happened, primarily because people haven't supplied specific proof.
"Lots of people are claiming, or reshaping the claim, that installing Houseparty caused their other online accounts to be hacked... and yet no-one seems to have produced any evidence to support the claim," he said. "The most common way for people to have their accounts hacked is through phishing attack, password reuse and credential stuffing, and the likelihood is that this is what has happened in these cases too."
Cluley does urge people to use 2FA where possible, and to always use a different password for every new account they create online.
As for the Houseparty hacking claims spread on Twitter, Cluley suggests we exercise caution, as it appears at least some of these claims come from accounts that might not be legitimate, known as bots. That said, if bots are being used to spread Houseparty disinformation, this doesn't necessarily mean a smear campaign is taking place.
"Messages posted by bots do not necessarily mean an organized campaign to defame a service," he said. "It could just be that lots of users are resharing the warning about Houseparty and bots happen to also be sharing it in order to look like a genuine Twitter user. What we need is strong evidence of an organized campaign against Houseparty, and I see Houseparty is now offering a financial reward for anyone who can come up with the goods."
Can Houseparty be trusted?
The inability for Android users to delete their Houseparty account from within the app is far from ideal, and should be addressed. But, so far, there isn't strong evidence to suggest the app is responsible for hacking attempts against its users, added Cluley.
"Strong evidence should be brought to the table before anyone accuses Houseparty of any wrongdoing...It may simply be coincidence," added Cluley. "The human mind loves to make connections where no link might exist. The fact that you made an account on Houseparty may be entirely disconnected from the fact that criminals then tried to access your Spotify account."
This point is echoed by cybersecurity company Sophos, which stated in a March 31 blog post: "The fact that lots of people repeated the same condemnatory text on Twitter proves nothing. If you aren't part of the solution then you are part of the problem."
PrivacySpy gives Epic Games a score of 2.3 out of 10PrivacySpy
Also under the spotlight is the Houseparty terms of service. This document states that users grant the app "a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute" all content they create when using the app "in any and all media or distribution methods".
Location tracking is a feature of the Houseparty app that is offered when you first set up your account (to find nearby users), but can be left disabled, thus preventing the gathering of your location data.
You can ask for deletion of your data. But they can do whatever they want: erase it or not.
They seem to have trouble erasing data from archived or backup copies...
Not sure how this complies with article 17 of GDPR. pic.twitter.com/XvlM2mbDAj
— Suzanne Vergnolle (@SuVergnolle) March 22, 2020
So, while there are questions to be answered when it comes to Houseparty's handling of user data, there simply isn't enough evidence to accuse the app of hacking its users.
"The Coronavirus pandemic has driven vast numbers of people to install new software," said Cluley. "My suspicion, unless other evidence comes to light, is that there's no connection [between Houseparty and account hacking], and what's happened is that criminals are going about their normal activities of trying to break into Spotify (and other) accounts using previously breached passwords."
Instead, Cluley said, people should shore up the way they access and protect their accounts.
"In the meantime, protect your online accounts with unique passwords and 2FA, and if you do use Houseparty check your settings to ensure that you are comfortable with your chat room preferences (for instance, you may only want to allow people in you have specifically invited rather than a free-for-all)," he said.
As of September, 2021, Houseparty.com was closed by Epic Games. It was reported on September 21, 2021 by The Guardian, the video chat service is over and all the software is no longer available on any of the app stores.
Apple AirPods (2nd Generation)