Houseparty is one of the must-have apps for people self-isolating or in lockdown during the coronavirus pandemic. With more than 10 million downloads from Google Play, and daily downloads increasing from 24,795 per day on February 15 to an astonishing 651,694 on March 25, Houseparty popularity shows no sign of slowing down. Until now.
People across social media have been complaining that their Netflix, PayPal and Spotify accounts have been hacked, and they are blaming Houseparty. Now Houseparty, whose parent company is Fortnite developer Epic Games, is fighting back with a denial and the offer of a $1 million (£810,000) reward for the first person who can provide proof of a “paid commercial smear campaign” to harm Houseparty.
Has Houseparty been hacked?
Houseparty app users have been taking to social media to complain that the group video game-playing sensation is to blame for the compromise of various accounts, including online banking, Netflix, PayPal and Spotify. The volume of these complaints has become viral itself, despite there being absolutely no evidence at all to suggest that Houseparty is linked to any hacking incidents. The only connection to any other account compromise would appear to be that Houseparty was either the last app installed or, as the hacking rumors started to gain traction on Twitter, that others were blaming the app. I have not seen a single piece of actual evidence that any hack can be attributed to Houseparty, and nor would it seem have the Houseparty developers themselves.
Keen to put a stop to the rumors, Houseparty tweeted that the service was secure and has never been compromised.
Is the Houseparty app safe to use?
Cybersecurity experts have already analyzed Houseparty app permissions and usage and found these to be logical, necessary and with no evidence of any shady misuse. While no app can be guaranteed 100% secure, that analysis concluded that the few in-app options and settings meant it created fewer “scenarios for exploiting security issues.”
What is behind the Houseparty hacking rumors?
The most likely reason that people have had various accounts hacked is a sadly all too common one: credential stuffing attacks. This is where cyber-criminals use lists of login credentials from successful hack attacks to try and gain access to other sites and services. Like many others, I have been warning against password sharing between accounts for the longest time. Stolen password databases regularly get sold, or given away for free, on the Dark Web. If someone uses the same login credentials for an account that has been compromised, and these credentials find their way into such a database, then hackers will use these to try against popular services like Netflix, PayPal and Spotify funnily enough, to see if they have been reused. If they have, then a credential stuffing attack will be successful, and the account will be compromised. You can even check to see if your password has been compromised in a previous attack by using the free Have I Been Pwned database.
Houseparty sabotage suspected, $1 million reward offered
Houseparty has reason to believe that the hacking rumors have more than just an unfortunate and ill-considered social media grapevine behind them. It has tweeted that it is “investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty.” What’s more, Houseparty is prepared to put its money where its claim is: it is offering a $1 million (£810,000) bounty for the first person to provide them with the proof of such a smear campaign.
If you have that proof and want to claim the reward, then contact the Houseparty developers directly by email to email@example.com
If you want to better protect your accounts, all accounts, then you should ensure that you don’t reuse your password anywhere, that it is suitably and robustly constructed, and that you enable two-factor authentication wherever possible to make credential stuffing attacks much harder to pull off.