SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Houseparty denies security breach as users accuse app of hacking accounts
Tue, 31st Mar 2020
FYI, this story is more than a year old

The new reality of social isolation has well and truly set in for millions around the world living in lockdown in the wake of the COVID-19 pandemic.

As social beings with an internet connection, some have gravitated towards an app called Houseparty, a face-to-face video hosting service like FaceTime, but with the added bonus of built-in interactive games.

The app, originally launched in 2016, is fast becoming a staple among the socially-deprived, and with all the new attention and publicity, it seemingly has nowhere to go but up – according to Apptopia data cited by VentureBeat, Houseparty's downloads surged by 2,000% from mid-February to mid-March.

Except now it is facing accusations from users that some of their other accounts, like Netflix and Spotify, have been hacked as a result of having used Houseparty.

Some users also claimed their PayPal account was affected by Houseparty. However, a spokesperson from PayPal noted that 'no PayPal accounts globally were compromised as a result of the Houseparty app'.

Users tweeted screenshots of what they say are compromised accounts from other services, blaming Houseparty.

In a response, Houseparty has said that it has seen no evidence of a breach and told Business Insider that users should refrain from using the same passwords and usernames across different accounts.

“As a general rule, we suggest all users choose strong passwords when creating online accounts on any platform,” says a Houseparty spokeswoman.

“Use a unique password for each account, and use a password generator or password manager to keep track of passwords, rather than using passwords that are short and simple.

Sophos senior security advisor John Shier agrees, saying the explanation for the compromised user accounts is a lack of security hygiene, rather than privacy violations committed by Houseparty, of which there is no evidence.

"The news that Houseparty has been hacked is causing a bit of a stir on social media at the moment,” says Shier.

“The puzzling thing is that there's no evidence to suggest that Houseparty has been hacked and credentials stolen.

“One likely scenario is that the Houseparty app is the last app many users may have installed and registered using the same credentials as other apps, such as Netflix, Spotify and countless others,” says Shier.

“Criminals are constantly using old, compromised credentials to access online services in credential stuffing attacks.

“Correlating these two events seems to be what's causing all the fuss. If you are worried about these types of cyberattacks, our advice is to always turn on multifactor authentication (when available) and use a password manager to create and store long, complex and unique passwords for each service you sign up for."