In recent days warnings have spread rapidly across social networking sites that the Houseparty app – which makes it easy for anyone to drop in for a video chat with friends locked down during the Coronavirus pandemic – is unsafe.
According to claims reshared widely, users found that their other online accounts had been hacked into after they had installed the Houseparty app.
For instance, Mary from Scotland tweeted screenshots of notifications she had received that her Spotify account had been accessed from Israel, Russia, and The Netherlands.
Alongside the screenshots of the Spotify notifications she received, Mary wrote:
been hacked three times off the houseparty app into my spotify. would recommend deleting asap x
Meanwhile, others tweeted warnings to Houseparty users that they should delete their accounts and delete the app. Anything less, they claimed, would not be enough to stop their accounts on other sites from being compromised.
In no time at all, warnings were circulating on social media about email and bank accounts being hacked after installing the Houseparty app:
If anyone is using that house party app DELETE IT
My friends email account been hacked into by it
And managed to get bank account details too and has hacked that.
I’ve seen a few other people saying this too on twitter.
I also keep getting dodgey emails.
Just a warning x
Do you notice what is missing? What is absent from the warnings is any link to a legitimate computer security firm confirming that there is a problem with Houseparty.
In short: No evidence has been produced that Houseparty is unsafe or has suffered a breach.
It’s possible, of course, that the Houseparty app does (like any other complex piece of software) contain flaws and vulnerabilities, but despite the attention of world-renowned researchers no security firm has raised the alarm that installing the app leads to, say, your Spotify account being compromised.
What we do see are lots of people claiming, and most often resharing the claim, that after their other online accounts were hacked after they installed Houseparty. And yet no strong evidence is presented.
Houseparty, for its part, has isssued a statement saying that it has not been breached.
All Houseparty accounts are safe – the service is secure, has never been compromised, and doesn’t collect passwords for other sites.
— Houseparty (@houseparty) March 30, 2020
Epic Games, the owners of Houseparty, has even taken the unusual step of offering a US $1,000,000 reward for anyone who can provide evidence that the hacking rumours were started by someone attempting to inflict financial harm on the app.
We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to [email protected].
— Houseparty (@houseparty) March 31, 2020
I’m not sure I would go so far as to believe that the hack rumours were deliberately started in an attempt to harm Houseparty rather than simple human daftness, but weirder things have happened.
By far the most common way for accounts to be hacked is through a phishing attack, password reuse, and credential stuffing. And if I were to put any money on it, that’s what I would imagine is happened to the users who reported their accounts had been compromised too.
The mind loves to try to make connections, even when a link doesn’t exist. The fact that you made an account on Houseparty may be entirely disconnected from the fact that criminals then tried to access your Spotify account. Hackers use credential stuffing attacks, using passwords scooped up from previous security breaches, all the time in an attempt to break into accounts.
The fact that you installed Houseparty and then your Spotify account was breached may be entirely and utterly unconnected.
Spotify is a very widely used app, and millions of people have probably downloaded the Houseparty app in the last couple of weeks. But that doesn’t mean Houseparty caused your Spotify account, or email account, or bank account to be hacked.
The Coronavirus pandemic has driven vast numbers of people to install new software. My suspicion, unless other evidence comes to light, is that there’s no connection… and what has happened is that criminals are going about their normal activities of trying to break into Spotify (and other) accounts using previously breached passwords.
Users should enable two-factor authentication (2FA) on any online accounts that support it (so if a password is stolen, it alone won’t actually give the attacker access to accounts). In addition users should follow standard best practices of never ever reusing passwords.
And, if you’re going to use Houseparty, do be sensible about setting permissions about who can access your chat room. To avoid problems like Zoombombing you might be wise to limit access to only invited friends.
For more discussion on this topic, listen to the latest “Smashing Security” podcast: