Houseparty: Is the app safe and should you delete your account?

Hacking rumours are a reminder to be careful about passwords and other personal data

Andrew Griffin
Wednesday 01 April 2020 09:01 BST
Comments

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Viral posts are suggesting that popular chat app Houseparty has been hacked – and users’ personal information stolen along with it.

Houseparty has rocketed to the top of various app stores, as a way to stay in touch with friends during coronavirus lockdowns in many parts of the world. The somewhat intense app includes a variety of features, including the ability to join in friends’ voice chats without calling them, and the option to play games within chats.

The new tweets claim that after users install the group video call platform, they find their other accounts, including their Spotify, Amazon and PayPal logins, have been compromised. They suggest that those details have been leaked from within the Houseparty app, and that downloading it caused them to lose control of their personal data.

Many of those posting the tweets suggested the only way to stay safe from any potential hack is to entirely delete the Houseparty account.

While the messages appear to have begun on Twitter, they have since spread across other networks such as WhatsApp.

But the developers of the app claim there is far more to the story. They suggest that they are the victims of a sinister smear campaign, and that the hacking rumours are entirely false.

“We are investigating indications that the recent hacking rumours were spread by a paid commercial smear campaign to harm Houseparty,” it wrote in a tweet. The company offered a $1,000,000 bounty to anyone who could provide proof of such a campaign.

“We have spent the past few weeks feeling humbled and grateful that we can be such a large part of bringing people together during such a hard time.”

Houseparty gave no detail on the “indications” they had received that the tweets were part of a smear campaign, and did not give any information on how it might have happened or who could be behind it.

Earlier, it had firmly denied that it had been hacked.

“All Houseparty accounts are safe – the service is secure, has never been compromised, and doesn’t collect passwords for other sites,” it wrote on Twitter.

There is no way of knowing for absolute certain that Houseparty has not been hacked. But there also doesn’t appear to be any definite evidence that Houseparty is leaking personal information or logins, and even if the tweets are not part of a malicious hacking campaign they can be explained in other more innocent ways.

The compromised accounts and the installation of Houseparty may simply be coincidence. It may simply be that the two things – an increase in hacking attempts, and the growing use of Houseparty – have the same cause in the outbreak of coronavirus, for instance.

The more likely explanation seems to be that people are re-using their passwords across a variety of different sites. People may well be using your Houseparty password to login to your Spotify, as the tweets claim – but that is probably because the passwords are the same, and they may have been leaked in some other hack.

The website “Have I Been Pwned” collects major data breaches and allows you to search through them to see if your personal information has been compromised in a known hack. If it has, then that could explain any unusual behaviour on your accounts.

Even if the Houseparty hack claimed in the tweets were real, deleting your account would not make you safe, since anyone who had stolen your passwords would still have access to the other websites they can be used to unlock.

As such, a more important job than deleting the app would be changing your passwords so that they are different across different websites. This is recommended by cyber security experts anyway, since it ensures that a hack on any particular platform will not expose your other accounts.

Researchers agreed that it seemed unlikely that the tweets were referring to a real Houseparty hack – but that they served as an important reminder of the kinds of information that apps can gather about their users, and of why it is important to ensure that data is protected to the strongest degree.

“What this has done is shone a light on the privacy policy in the app and there seems to be quite a lot of personal data that the app pulls from each device that is used – such as device ID, internet history and other actions taken through the service,” said Jake Moore, cybersecurity specialist at ESET.

“When an app is free, it can often mean that your data is the actual price, but I don’t think that this app has been hacked, nor would they keep such passwords in plain text and unencrypted.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in