No, Houseparty Probably Won’t Give You a Million Dollars

Houseparty, the “face-to-face social network” app, has had a tumultuous few weeks. Initially exploding in popularity by allowing those in self-quarantine to join a virtual room with their friends and play games and quizzes with their phones or webcams (imagine Skype with pre-programmed fun), the Epic Games owned company made headlines at the start of this week amid accusations of ‘hacking’. Houseparty hit back claiming the rumours were a “paid commercial smear campaign” and offering a million dollars to anyone who could provide them with evidence.

Now, as someone working in OSINT (that’s Open Source Intelligence) and online investigations, a chance at a million dollar cheque wasn’t something I was going to pass up. However, since I’m not writing this from the deck of my shiny new yacht, it’s fairly safe to say that Houseparty’s claims may not be the easiest to prove. In fact after reaching for clarification, the New Statesman reported that neither Houseparty nor Epic Games “have elaborated on why they believe this is a bigger conspiracy than some teens making a false correlation”.

So what exactly happened? At around 1pm GMT on 30/03/2020, users on Twitter, Whatsapp, and Instagram began posting reports that their PayPal, Spotify, and other accounts were being ‘hacked’ by Houseparty and that such hacking attempts had stopped once they had deleted the app. These reports skyrocketed on Twitter – which inevitably caused a feedback-loop of further reports.

Key viral accounts caused this spike to grow internationally, with a similar graph in the USA, the UK, countries across Europe (key being Italy and Spain – though curiously not Germany), and notably Malaysia. Accounts of note that have offered their take are Michelle Elman in the UK and Azfaheri in Malaysia, whose reach with followers significantly boosted the rumour.

Though the rumour trended on Twitter with alarming speed, it’s hard to see any patterns or evidence pointing to a co-ordinated or paid campaign to smear Houseparty. Instead, as the New Statesman offered, the phenomenon can more likely be traced back  to the app’s relatively young userbase trying to find links between malicious logins of another source and their freshly downloaded app, and some people inevitably stoking the fire with ever-escalating claims  of  ‘hacking’. Early tweets reporting issues flagged up Spotify logins while later users posted screenshots of money being withdrawn from PayPal, banking alerts, and people in Russia trying to get into their accounts. Finally, common-sense often prevails in situations like this, and a number of Twitter accounts I had been following in connection with this issue have since set themselves to “private” as their tweets have gone viral – something that any self-respecting paid disinformation shill probably wouldn’t be doing.

This brings me to a second issue raised by the #housepartyhacked phenomenon – its self-realisation. Many of the younger user-base posting screenshots on Twitter of ‘evidence’ that they were being hacked were unwittingly revealing information that could easily lead them to being victims of serious hacking or identity theft. It should be obvious that on open platforms like Twitter, you shouldn’t be uploading screenshots of your full PayPal app transactions, private alerts from your bank, or any information that, when coupled with your email address, may lead to someone logging into any of your accounts. Moreover, if you suspect your account has been compromised, deleting the program you suspect to be the culprit certainly isn't going to 'unhack' your account.

With more and more people online due to quarantine and social distancing measures across the world, it is an ideal time for actual malicious actors to strike. There is a hacking attack every 39 seconds and hackers steal 75 records every second. Despite this, most people have very lax online security, re-using one or two passwords for many of their accounts. Here at Logically, we recommend that, at a minimum, you turn on two-factor authentication where possible, and double-check your vulnerability to hacking through haveibeenpwned. You can take further measures by using password managers such as KeePass that will generate random passwords for you with over 100 characters and using a VPN to protect your online privacy.

However, all this is not to say that Houseparty is not without its faults. As a few users have noted, there is currently no direct way to delete your account from an Android device, and their uninstall messages are very pushy – forcing a user to confirm three times if they actually want to uninstall the app. The default app permissions are also rather liberal – though not a security risk, so if you want to keep the party going, it may be worth taking a look at your app access settings and enacting some of the security measures mentioned above.