The pandemic has been kind to Houseparty. As much of the world entered lockdown, the video-based social networking app was riding a wave of newfound popularity.
Much of this has been fuelled by the network effect; the more friends and family that download it, the more value it holds for others. It’s a powerful fuel for growth. But what happens when it backfires, spurred by poor password hygiene, social media hysteria and an alleged commercial smear campaign?
Yesterday – 30 March – a small Twitter storm erupted. Houseparty users complained that separate online accounts such as Spotify, Netflix, Uber and PayPal were being hacked – because of Houseparty.
“BOYCOTT HOUSEPARTY, just found out that’s how my Spotify was hacked and how many others are being hacked on various things,” read one tweet.
“DELETE HOUSPARTY!!!!! They are hacking into spotifys, snapchats and even online banking!!!” read another.
The proof? Essentially none: these accounts had been hacked after their owners had downloaded the Houseparty app. Phrases such as “Boycott Houseparty” picked up momentum. People deleted the app in droves, not wanting to take the risk, real or otherwise.
Many did not need to see the evidence first-hand – hearing that their cousin’s friend’s brother had their Spotify hacked was enough for them to erase the app from their phone.
Several tabloid newspapers picked up on the storm in a Twitter teacup and ran headlines that both fed on and fed into the “Houseparty hacked” hysteria.
This writer was approached separately by five friend and family members asking if Houseparty had been hacked – the network effect in reverse.
“No evidence”: Houseparty tries to manage the crisis
Late Monday afternoon, Houseparty attempted to put out the fires.
“We’ve found no evidence to suggest a link between Houseparty and the compromises of other unrelated accounts,” a Houseparty spokesperson told Verdict.
“As a general rule, we suggest all users choose strong passwords when creating online accounts on any platform. Use a unique password for each account, and use a password generator or password manager to keep track of passwords, rather than using passwords that are short and simple.”
The company, which is owned by gaming giant Epic Games, added in a Twitter post that “All Houseparty accounts are safe – the service is secure, has never been compromised, and doesn’t collect passwords for other sites.”
The implication here is that people have been reusing passwords across different accounts. Criminals can buy up passwords exposed in historical data breaches and attempt to gain access to other accounts that use the same email address in a type of attack known as credential stuffing.
A $1m bounty
But this was not enough to stem an apparent exodus of users, seemingly undoing some of the growth that has brought an additional two million users per week this month. Then, in the early hours of Tuesday morning, the story took a dramatic turn.
“We are investigating indications that the recent hacking rumours were spread by a paid commercial smear campaign to harm Houseparty,” a Houseparty spokesperson said.
“We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign.”
We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to firstname.lastname@example.org.
— Houseparty (@houseparty) March 31, 2020
Was Houseparty hacked, sabotaged or something else?
So, was Houseparty hacked? Is commercial foul play to blame? Or have people just been practising poor password hygiene? Let’s break down the possibilities.
- Houseparty has been storing passwords in plaintext and their server has been accessed, allowing scammers to steal these passwords and use them to log into accounts where the same password has been used across other online services. However, Houseparty told Verdict that there is no evidence of this – nor has anyone provided any. Houseparty added that passwords are salted and hashed, meaning that even if someone accessed the secure database in which they are stored, they would appear as meaningless symbols.
- There’s a security flaw in the app that allows hackers to inject malware. However, ESET security researcher Lukas Stefanko, who analysed the Houseparty app for Forbes, found nothing of concern. He told Verdict that if there was a flaw in the app it would require the hacker to install malware separately on each device. He added that people on both iOS and Android have claimed to be affected – making malware even less likely because the operating systems are structured in different ways.
- People are making a false equivalence between downloading the Houseparty app and another account being hacked while Houseparty has been installed. People get hacked all the time because they reuse the same password across accounts. It’s difficult to put an exact figure on this, but one estimate puts the number of attempts in the tens of billions per year. Once the social media claims gained momentum, it created a feedback loop as people looked for patterns that had correlation but no causation. Given the high volume of people that have downloaded Houseparty in recent weeks because of the pandemic, this increased the number of people that have both been hacked and happen to have Houseparty.
- A paid-for smear campaign spread rumours online to damage the brand. Houseparty hasn’t provided any evidence to support its suspicions, but the hacking allegations have no doubt been very damaging for its reputation. For Joseph Carson, chief security scientist & advisory CISO at cybersecurity firm Thycotic, the $1m reward is “misdirection” and “suggests that Houseparty is not happy with the rumours on social media and rather than investigating the root cause, such as poor password hygiene, they are adamant that they are secure”.
Indications of an influence campaign
Influence campaigns are not uncommon on social media and can see information pushed to prominence by bots or sock puppet accounts. But is there any evidence that a coordinated effort is behind the hacking allegations, as Houseparty claims?
“Honestly it’s hard to say, but I would certainly say that the volume of tweets complaining of a hack but not providing substantial information potentially suggest an influence campaign,” said Marc Owen Jones, an academic who studies the spread of false information on social media.
“It wouldn’t take much, though, to create a genuine paranoia among legitimate users, confounding the analysis somewhat.”
Jones mapped out the most influential tweets around the phrase “Housparty hacked” for Verdict, showing the activity centred around several accounts.
During his analysis, Jones also observed that the Houseparty hacked tweets “spiked suddenly” on 30 March and then died away. Most of the Tweets were from people in the UK, he added, which is odd because the app is also popular in the US and other parts of the world.
“I would expect maybe there to be continued commentary on Twitter if this was a widespread problem,” said Jones, but cautioned it would require more analysis to draw firm conclusions.
Security experts sceptical about Houseparty hacked claims
Cybersecurity experts have cast further doubt on the claims that Houseparty has been hacked.
“While there are numerous reports from users online we did not find any evidence to indicate that the HouseParty app as available from official App stores is to blame for compromises they are experiencing,” said Christoph Hebeisen, director of security intelligence research at cybersecurity firm Lookout.
“At the moment it is not clear nor is there any concrete evidence that the Houseparty App has experienced a data breach,” added Carson. “However, at this time something suspicious is occurring and further research is needed to determine what is truly going on. It could be simply that users of the Houseparty app are reusing passwords across multiple accounts and are victims of poor password hygiene with credential stuffing being the most likely technique, which is a common occurrence.”
“There seems to be quite a lot of personal data that the app pulls from each device that is used – such as device ID, internet history and other actions taken through the service,” he said. “When an app is free, it can often mean that your data is the actual price but I don’t think that this app has been hacked, nor would they keep such passwords in plain text and unencrypted.”
And Houseparty has also drawn attention after users complained about people entering video chats uninvited – although this is a feature of the app that can be turned off under privacy settings.
On the basis of the available evidence – or lack of it – there is no reason to believe that Houseparty was hacked. Whether a commercial smear campaign is to blame remains to be seen, but one thing is clear: never reuse the same password and don’t always believe what your cousin’s friend’s brother might have said.