Rawpixel.com - Fotolia

Houseparty denies hack as credential stuffing attacks spread

Social media service denies its service has been hacked, and is offering a million-dollar bounty to anybody who can prove otherwise

Houseparty, a video chat and social media network that has shot to prominence during the Covid-19 coronavirus lockdown, has been forced to deny it has been the victim of a hack, and is offering a $1m (£800,000/€900,000) bug bounty to anyone who can prove otherwise.

The service, which is owned by Epic Games, the US studio behind the Fortnite franchise, has become the subject of a deluge of rumours that its service has been compromised by cyber criminals. Many users of the service have reported that their Netflix, PayPal and Spotify accounts have been compromised.

In a statement on its Twitter feed, a Houseparty spokesperson said: “All Houseparty accounts are safe – the service is secure, has never been compromised, and doesn’t collect passwords for other sites.

“We are investigating indications that the recent hacking rumours were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign.”

At the time of writing, no security researchers had found any indication that there was anything amiss with the Houseparty service, or any evidence of a cyber attack or data breach.

This may suggest that the rumours may be a case of mass hysteria and disinformation spreading rapidly during a uniquely stressful time.

John Shier, senior security adviser at Sophos, suggested that Houseparty users may actually be falling victim to credential stuffing attacks, which are a function of poor password hygiene, and not a failing of a service provider.

“The news that Houseparty has been hacked is causing a bit of a stir on social media at the moment,” said Shier. “One likely scenario is that the Houseparty app is the last app many users may have installed and registered using the same credentials as other apps, such as Netflix, Spotify and countless others.

“Criminals are constantly using old, compromised credentials to access online services in credential stuffing attacks. Correlating these two events seems to be what’s causing all the fuss.”

Shier added: “If you are worried about these types of cyber attacks, our advice is to always turn on multifactor authentication (when available) and use a password manager to create and store long, complex and unique passwords for each service you sign up for.” 

In the light of a growing and vocal movement urging users to uninstall and boycott the service, Sophos said it was unwise for users to accuse Houseparty or Epic Games of malfeasance without strong evidence.

“The fact that lots of people repeated the same condemnatory text on Twitter proves nothing,” said Paul Ducklin, one of the firm’s Naked Security analysts. “If you aren’t part of the solution, then you are part of the problem.”

Ducklin said Houseparty users should also be wary of assuming that deleting the app will fix their problems, and that the best option for users is to frequently change passwords to strong, unique combinations across the various online services they use.

Read more about credential stuffing

  • A mandatory password reset for all Londoners who use TfL’s Oyster and contactless payment systems followed a minor breach incident.
  • Video-sharing website Dailymotion reset passwords for an unknown number of users following ‘large-scale’ credential stuffing attacks that lasted for more than six days before being stopped.
  • Credential stuffing activity is outpacing the growth of other cyber attacks and enabling account takeover attacks. Akamai Technologies’ Patrick Sullivan explains the threat.

Brian Higgins, security specialist at Comparitech, said: “There is a rising wave of cyber crime activity directly linked to the global uptake of group social media platforms now that everyone is in isolation.

“I’d definitely recommend deleting any apps you think may be causing you and your contacts harm. However, in this case I’d give Houseparty a chance to investigate and explain what’s happening. They’re clearly providing a vital service to people’s mental health and wellbeing.

“By all means do whatever you think is necessary to stay safe online while the Covid-19 pandemic plays out, but it’s always best to make informed decisions. There are any number of reasons why the online activity highlighted on Twitter could be happening.”

Despite the weight of current evidence suggesting that Houseparty has not been hacked, there are some safety and privacy concerns that users should be aware of, particularly parents supervising children.

Many users are not aware of the privacy implications of how the app works and how people can drop in when they don’t want or expect them to,” said Christoph Hebeisen, director of security intelligence at Lookout, a supplier of mobile security services. “This can obviously lead to awkward situations.”

In particular, chats that are left “unlocked” in the user’s settings can be gate-crashed by uninvited contacts. According to the BBC, this has led to some inappropriate behaviour, including more than one incident of so-called “porn-bombing”, where unsolicited pornographic images are shown to users.

The service’s full privacy policy can be accessed here. Computer Weekly contacted Houseparty’s press office for further comment, but had not received a response at the time of writing.

Read more on Hackers and cybercrime prevention

Data Center
Data Management