The pandemic has been kind to Houseparty. As much of the world entered lockdown, the video-based social networking app was riding a wave of newfound popularity.

Much of this has been fuelled by the network effect; the more friends and family that download it, the more value it holds for others. It’s a powerful fuel for growth. But what happens when it backfires, spurred by poor password hygiene, social media hysteria and an alleged commercial smear campaign?

Yesterday – 30 March – a small Twitter storm erupted. Houseparty users complained that separate online accounts such as Spotify, Netflix, Uber and PayPal were being hacked – because of Houseparty.

“BOYCOTT HOUSEPARTY, just found out that’s how my Spotify was hacked and how many others are being hacked on various things,” read one tweet.

“DELETE HOUSPARTY!!!!! They are hacking into spotifys, snapchats and even online banking!!!” read another.

The proof? Essentially none: these accounts had been hacked after their owners had downloaded the Houseparty app. Phrases such as “Boycott Houseparty” picked up momentum. People deleted the app in droves, not wanting to take the risk, real or otherwise.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Many did not need to see the evidence first-hand – hearing that their cousin’s friend’s brother had their Spotify hacked was enough for them to erase the app from their phone.

Several tabloid newspapers picked up on the storm in a Twitter teacup and ran headlines that both fed on and fed into the “Houseparty hacked” hysteria.

This writer was approached separately by five friend and family members asking if Houseparty had been hacked – the network effect in reverse.

“No evidence”: Houseparty tries to manage the crisis

Late Monday afternoon, Houseparty attempted to put out the fires.

“We’ve found no evidence to suggest a link between Houseparty and the compromises of other unrelated accounts,” a Houseparty spokesperson told Verdict.

“As a general rule, we suggest all users choose strong passwords when creating online accounts on any platform. Use a unique password for each account, and use a password generator or password manager to keep track of passwords, rather than using passwords that are short and simple.”

The company, which is owned by gaming giant Epic Games, added in a Twitter post that “All Houseparty accounts are safe – the service is secure, has never been compromised, and doesn’t collect passwords for other sites.”

The implication here is that people have been reusing passwords across different accounts. Criminals can buy up passwords exposed in historical data breaches and attempt to gain access to other accounts that use the same email address in a type of attack known as credential stuffing.

A $1m bounty

But this was not enough to stem an apparent exodus of users, seemingly undoing some of the growth that has brought an additional two million users per week this month. Then, in the early hours of Tuesday morning, the story took a dramatic turn.

“We are investigating indications that the recent hacking rumours were spread by a paid commercial smear campaign to harm Houseparty,” a Houseparty spokesperson said.

“We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign.”

We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to bounty@houseparty.com.

— Houseparty (@houseparty) March 31, 2020

Was Houseparty hacked, sabotaged or something else?

So, was Houseparty hacked? Is commercial foul play to blame? Or have people just been practising poor password hygiene? Let’s break down the possibilities.

• Houseparty has been storing passwords in plaintext and their server has been accessed, allowing scammers to steal these passwords and use them to log into accounts where the same password has been used across other online services. However, Houseparty told Verdict that there is no evidence of this – nor has anyone provided any. Houseparty added that passwords are salted and hashed, meaning that even if someone accessed the secure database in which they are stored, they would appear as meaningless symbols.

• There’s a security flaw in the app that allows hackers to inject malware. However, ESET security researcher Lukas Stefanko, who analysed the Houseparty app for Forbes, found nothing of concern. He told Verdict that if there was a flaw in the app it would require the hacker to install malware separately on each device. He added that people on both iOS and Android have claimed to be affected – making malware even less likely because the operating systems are structured in different ways.

• People are making a false equivalence between downloading the Houseparty app and another account being hacked while Houseparty has been installed. People get hacked all the time because they reuse the same password across accounts. It’s difficult to put an exact figure on this, but one estimate puts the number of attempts in the tens of billions per year. Once the social media claims gained momentum, it created a feedback loop as people looked for patterns that had correlation but no causation. Given the high volume of people that have downloaded Houseparty in recent weeks because of the pandemic, this increased the number of people that have both been hacked and happen to have Houseparty.

• A paid-for smear campaign spread rumours online to damage the brand. Houseparty hasn’t provided any evidence to support its suspicions, but the hacking allegations have no doubt been very damaging for its reputation. For Joseph Carson, chief security scientist & advisory CISO at cybersecurity firm Thycotic, the $1m reward is “misdirection” and “suggests that Houseparty is not happy with the rumours on social media and rather than investigating the root cause, such as poor password hygiene, they are adamant that they are secure”.

Indications of an influence campaign

Influence campaigns are not uncommon on social media and can see information pushed to prominence by bots or sock puppet accounts. But is there any evidence that a coordinated effort is behind the hacking allegations, as Houseparty claims?

“Honestly it’s hard to say, but I would certainly say that the volume of tweets complaining of a hack but not providing substantial information potentially suggest an influence campaign,” said Marc Owen Jones, an academic who studies the spread of false information on social media.

“It wouldn’t take much, though, to create a genuine paranoia among legitimate users, confounding the analysis somewhat.”

Jones mapped out the most influential tweets around the phrase “Housparty hacked” for Verdict, showing the activity centred around several accounts.

During his analysis, Jones also observed that the Houseparty hacked tweets “spiked suddenly” on 30 March and then died away. Most of the Tweets were from people in the UK, he added, which is odd because the app is also popular in the US and other parts of the world.

“I would expect maybe there to be continued commentary on Twitter if this was a widespread problem,” said Jones, but cautioned it would require more analysis to draw firm conclusions.

Security experts sceptical about Houseparty hacked claims

Cybersecurity experts have cast further doubt on the claims that Houseparty has been hacked.

“While there are numerous reports from users online we did not find any evidence to indicate that the HouseParty app as available from official App stores is to blame for compromises they are experiencing,” said Christoph Hebeisen, director of security intelligence research at cybersecurity firm Lookout.

“At the moment it is not clear nor is there any concrete evidence that the Houseparty App has experienced a data breach,” added Carson. “However, at this time something suspicious is occurring and further research is needed to determine what is truly going on. It could be simply that users of the Houseparty app are reusing passwords across multiple accounts and are victims of poor password hygiene with credential stuffing being the most likely technique, which is a common occurrence.”

Jake Moore, cybersecurity specialist at ESET told Verdict that while there is no “solid evidence” behind the hacking claims, it does shine a light on the privacy policy of the app.

“There seems to be quite a lot of personal data that the app pulls from each device that is used – such as device ID, internet history and other actions taken through the service,” he said. “When an app is free, it can often mean that your data is the actual price but I don’t think that this app has been hacked, nor would they keep such passwords in plain text and unencrypted.”

And Houseparty has also drawn attention after users complained about people entering video chats uninvited – although this is a feature of the app that can be turned off under privacy settings.

On the basis of the available evidence – or lack of it – there is no reason to believe that Houseparty was hacked. Whether a commercial smear campaign is to blame remains to be seen, but one thing is clear: never reuse the same password and don’t always believe what your cousin’s friend’s brother might have said.

Read more: Coronavirus: Concerns raised about Zoom’s security

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up