Houseparty: Is the app safe and should you delete your account?
Viral posts are suggesting that popular chat app Houseparty has been hacked – and users’ personal information stolen along with it.
Houseparty has rocketed to the top of various app stores, as a way to stay in touch with friends during coronavirus lockdowns in many parts of the world. The somewhat intense app includes a variety of features, including the ability to join in friends’ voice chats without calling them, and the option to play games within chats.
The new tweets claim that after users install the group video call platform, they find their other accounts, including their Spotify, Amazon and PayPal logins, have been compromised. They suggest that those details have been leaked from within the Houseparty app, and that downloading it caused them to lose control of their personal data.
Many of those posting the tweets suggested the only way to stay safe from any potential hack is to entirely delete the Houseparty account.
While the messages appear to have begun on Twitter, they have since spread across other networks such as WhatsApp.
But the developers of the app claim there is far more to the story. They suggest that they are the victims of a sinister smear campaign, and that the hacking rumours are entirely false.
“We are investigating indications that the recent hacking rumours were spread by a paid commercial smear campaign to harm Houseparty,” it wrote in a tweet. The company offered a $1,000,000 bounty to anyone who could provide proof of such a campaign.
“We have spent the past few weeks feeling humbled and grateful that we can be such a large part of bringing people together during such a hard time.”
Houseparty gave no detail on the “indications” they had received that the tweets were part of a smear campaign, and did not give any information on how it might have happened or who could be behind it.
Earlier, it had firmly denied that it had been hacked.
“All Houseparty accounts are safe – the service is secure, has never been compromised, and doesn’t collect passwords for other sites,” it wrote on Twitter.
There is no way of knowing for absolute certain that Houseparty has not been hacked. But there also doesn’t appear to be any definite evidence that Houseparty is leaking personal information or logins, and even if the tweets are not part of a malicious hacking campaign they can be explained in other more innocent ways.
The compromised accounts and the installation of Houseparty may simply be coincidence. It may simply be that the two things – an increase in hacking attempts, and the growing use of Houseparty – have the same cause in the outbreak of coronavirus, for instance.
The more likely explanation seems to be that people are re-using their passwords across a variety of different sites. People may well be using your Houseparty password to login to your Spotify, as the tweets claim – but that is probably because the passwords are the same, and they may have been leaked in some other hack.
The website “Have I Been Pwned” collects major data breaches and allows you to search through them to see if your personal information has been compromised in a known hack. If it has, then that could explain any unusual behaviour on your accounts.
Even if the Houseparty hack claimed in the tweets were real, deleting your account would not make you safe, since anyone who had stolen your passwords would still have access to the other websites they can be used to unlock.
As such, a more important job than deleting the app would be changing your passwords so that they are different across different websites. This is recommended by cyber security experts anyway, since it ensures that a hack on any particular platform will not expose your other accounts.
Researchers agreed that it seemed unlikely that the tweets were referring to a real Houseparty hack – but that they served as an important reminder of the kinds of information that apps can gather about their users, and of why it is important to ensure that data is protected to the strongest degree.
“What this has done is shone a light on the privacy policy in the app and there seems to be quite a lot of personal data that the app pulls from each device that is used – such as device ID, internet history and other actions taken through the service,” said Jake Moore, cybersecurity specialist at ESET.
“When an app is free, it can often mean that your data is the actual price, but I don’t think that this app has been hacked, nor would they keep such passwords in plain text and unencrypted.”
