If you’re at home right now – and who isn’t? – then you’ve probably heard of Houseparty.
It’s a social networking app that came out back in 2015 and was bought by Epic Games – famous for Unreal and Fortnite – in the middle of 2019.
The name gives you a good idea of what is does: simply put, you go online, hang out and other members (players?) can join you in your “room” and engage in face-to-face chat, or as close to face-to-face as you can get in a virtual world.
Think of it as a multiuser video call that friends and family – or, indeed, anyone, if that’s your thing – can wander in and say, “Hi.”
As the app makers themselves put it early last year:
We’re the face-to-face social network bringing friends together for live video hangouts. Now, with the Heads Up! game available in app, we’re introducing a new way for users to spend time together.
[…]
Houseparty only works when people are online together. There’s no liking, commenting, or scrolling. Instead, the Houseparty experience brings empathy to online communication by requiring in-the-moment conversations and facilitating casual “drop-ins” from friends.
Imagine a video calling service, like Zoom or Skype, but without calls and conferences and meetings – it’s like arriving at the pub to see who’s there, rather than booking a table at a bistro and meeting a specific group who have all agreed to the time and place.
And, as Houseparty noted in the same article, given that the North American winter was in full swing at the time:
Whether snowed in, away from home, or just too cozy to leave bed, here’s another way to bond with your closest friends when you can’t be together!
For “snow” read “coronavirus lockdown” and you can understand why the app has become hugely popular in the last few weeks, as people try to maintain a social life of sorts when they aren’t allowed out to meet other people at all.
Has the party gone wrong?
Well, the Houseparty team have suddenly been turned into the bad guys, with breathless comments on other social networks warning you to stop using the app right away:
If anyone is using that house party app DELETE IT My friends email account been hacked into by it And managed to get bank account details too and has hacked that. I've seen a few other people saying this too on twitter. I also keep getting dodgey emails. Just a warning x
Is there any truth in this?
To be honest, we can’t tell you that the Houseparty app is bug-free, because we haven’t decompiled or analysed it, and even if we had, working out that an app is totally free of vulnerabilities is a close-to-impossible exercise, as are many tasks where you are expected to prove a negative.
But the claim in the post above is not that there’s a bug that’s being exploited in the app.
Instead, to us the post seems very clearly to imply that that Houseparty is a rogue app that is actively breaking into every part of your digital life and plundering it in a determined burst of criminality.
And as unlikely as that sounds, and for all that Houseparty itself has stated this…
All Houseparty accounts are safe - the service is secure, has never been compromised, and doesn’t collect passwords for other sites.
— Houseparty (@houseparty) March 30, 2020
..there are pages of counter-tweets insisting that…
BOYCOTT HOUSEPARTY, just found out that's how my Spotify was hacked and how many others are being hacked on various things DELETE HOUSPARTY!!!!! They are hacking into spotifys, snapchats and even online banking!!! Didn’t realise what was happening when i got these emails but is 100% that houseparty app!! Three new logins to my spotify and someone tried to reset my password for netflix!! Not worth it the risk
Well, here’s the thing.
There’s one thing missing in all of these aggressive!!! and SHOUTY!!!!! claims, and that is evidence.
What happened?
At the moment, we don’t know what kicked off the storm of accusations, but Houseparty says [2020-03-31T03:21Z] it is “investigating indications” that the whole thing started as a smear campaign, to the point of offering a huge reward for proof:
We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to bounty@houseparty.com.
— Houseparty (@houseparty) March 31, 2020
But could a security bug in the app or a breach on Houseparty’s own servers have a knock-on effect by which other hackers – not Houseparty itself, but opportunists elsewhere – could break into your other online accounts?
In theory, yes, assuming that you used the same password on your other accounts so that your Houseparty password would effectively be a master key for all of them.
You have to type your password into the app at least once when you set it up, so your keystrokes are revealed to the app, from which it is at least theoretically possible they might leak – though your keystrokes would also, in theory, be revealed to other apps active on your phone at the same time, including malware running in the background.
And any online service that has user accounts needs to maintain a user database by which it can verify passwords, so a server breach could, in theory, expose that database to a hacker.
Note that very few online services actually store the text of your password – they store what’s called a hash of the password that can be used for verification instead.
For the technical details of how this works, see our article Serious Security: How to store your users’ passwords safely.
So, crooks who steal a password database – and there is no evidence that happened here at all – can’t directly read out the passwords, but they can try to crack them one-by-one using trial-and-error, which sometimes lets them figure out a few passwords, usually those that are shortest and most likely to be tried first.
The problem is that none of the Twitter comments we’ve seen so far give any credibility to these explanations, let alone providing evidence that Houseparty is itself implicated in any hacking.
After all, if you use the same password on all your accounts – and some people who are accusing Houseparty are at least admitting that they did just that – then any phishing attack against any of your accounts would expose all of them.
Ironically, for all we know, some of the “look, someone hacked my Netflix account after I started using Houseparty” screenshots on Twitter might themselves be phishing attacks in which the crooks send you a fake Netflix notifications to trick you into revealing your password.
And that’s the trouble here, namely that however this Houseparty accusation fiasco started, the insistence to close your account and delete the app is simply not useful advice on its own, and is likely to leave you with a false sense of security even if you do so.
What to do?
A few calm voices on Twitter are asking the obvious question, which is:
where's the evidence it was from houseparty? How do you know this had happened because of house party tho?
That’s a vital point to consider, and not just because it’s the ethically correct thing to do.
After all, if any of this “hacking” behaviour is not down to Houseparty, which is a mainstream app published by a well-known software company in Apple’s and Google’s official online stores…
…then deleting the app and feeling virtuous about closing your account is not going to help you, because you will still be at risk but will think you aren’t.
Our advice is simple:
- Don’t accuse Houseparty or Epic Games of malfeasance without strong evidence. The fact that lots of people repeated the same condemnatory text on Twitter proves nothing. If you aren’t part of the solution then you are part of the problem.
- Don’t assume that deleting Houseparty will fix your problems. The idea that all the listed symptoms above might suddenly appear on account of a single app has to be considered extremely unlikely, in which case removing the app will leave you at risk when you think you are safe.
- Do visit the Houseparty settings and decide how open you want to be. Do you want your rooms to be “locked” so you meet new people by invitation only? If not, or if you are scared of the app because trolls have been wandering into your online life, consider dialling back your openness rather than deleting the app but not changing your behaviour. Go through the same exercise for all your social media accounts.
- Do turn on 2FA (two-factor authentication) for any online accounts that support it. Don’t make it easy for someone who steals your password – which is more likely to happen via phishing that in any other way – to login to all your accounts and take them over.
- Do change passwords and watch financial statements carefully if you think your accounts have been hacked. Whether you think a specific product is to blame or not, just removing one app from your phone is not enough to “unhack” accounts that have already been taken over.
We’ll update this article if we learn any more genuine information – until then, please don’t blindly repeat other people’s unsubstantiated claims, because you can’t make something true simply by saying it over and over again.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
NA
misleading title, you’re telling people not to react without evidence, yet the houseparty team has gone silent and their gmail service is not accepting any emails -thats proven! So where is your proof they haven’t been hacked?
Paul Ducklin
TBH, we’re not insisting there isn’t a bug in the Houseparty app (we made the clear in the article), and the article isn’t investigating anything to do with Houseparty’s servers. We’re just reacting to the many claims that (in our reading) pretty much tell you that Houseparty is in some way hacking you and to BOYCOTT HOUSEPARTY as a result.
The outbursts we’ve seen aren’t warning of exploitable bugs in the app, or about a hack of the Houseparty backend. They’re a bit like the Talking Angela hoax, if you remember that one, where a app with a talking cat was accused of actively being a front for child abuse. The accusations here seem to be that the company, via its app, is doing the hacking and stealing your data.
The real risk here seems to be that if all the people who say they have been deeply hacked really have been, then *even if the whole Houseparty crew has gone rogue as the story is implying*, then just deleting the app and closing your account isn’t enough. And yet that’s all these SHOUTY!!!!! posts seems to be suggesting.
Remember that even in outright mobile phone malware attacks, we’ve never seen any rogue app cause this sort of apparently unlimited damage in this sort of way. Thus our tips at the end.
Simply put, trying to prove a negative in order to counteract a sea of unsubstantiated comments that state a positive without proof is IMO coming at this the wrong way round.
Nevertheless, to prevent any further misunderstanding I shall change the headline to say “Houseparty – is it really trying to hack into your digital life?”
Alekhya
Actually no your article makes people think all the people claiming that their accounts have been hacked are liars.
Yes they can do more than scream Houseparty is hacking them but Houseparty should look into who is hacking into their app! Not look for someone causing a smear campaign!
FYI I got Netflix two weeks ago and in one day it was hacked and my email associated with it was changed and luckily I called Netflix right away and was able to fix it.
The only thing I did before that was create a Houseparty account!
And I am one of those people who does use same password for all my entertainment stuff which is stupid I know and I have learnt my lesson.
But your article just tells people they are stupid for having their accounts hacked and that Houseparty is totally legit and it’s your own fault. ! So people are still going to keep using it and not take any precautions such as using a throwaway account
Paul Ducklin
The thing is that people aren’t merely claiming that their accounts have been hacked. They’re claiming that Houseparty hacked their accounts. They’re not suggesting that there’s a bug in the Houseparty app, and they’re not saying it’s because Houseparty’s servers got breached and data got stolen that somehow helped other crooks. They’re basically saying, or at least letting you infer, that Houseparty – the app and the company – are hackers and crooks who are breaking into your accounts.
As for saying that our article means “people are still going to keep using it and not take any precautions”, please see the tips at the end of the article. We have plenty of advice to offer there!
Dave
So, based on your evidence – NETFLIX HACKED MY ACCOUNT – UNINSTALL NETFLIX IMMEDIATELY BEFORE IT EMPTIES YOUR BANK ACCOUNT.
See how stupid that is? Netflix has access to your payment details, so is way more risky than houseparty, but you seem to think that Netflix being hacked isn’t their fault!
:P
netflix didn’t get hacked, your account details were found in another company’s data breach and i’m guessing you use similar passwords for everything
cmon
Mahhn
Alekhya, you are taking the article not as it was written, but as a personal attack since you had been breached and had the app. It was not written at you, it’s informative. This is educating, not attacking. We have trolls for attacking (me included sometimes), but this ain’t that. I hope you gained some insight from the story after rereading it in the manner it was written.
Bob
I downloaded the house party app last week, and since then I received 3 emails from instagram that someone requested a password reset. I have never ever received a password reset request. Mere coincidence?
Paul Ducklin
The thing is that anyone can attempt a password reset on your Instagram account at any time, simply by putting in your email address off a list. If you have ever received spam, then your email address is on a list.
So the fact that you installed Houseparty a week ago is simply not needed in the explanation of how you came to receive those password reset emails. In this case, based on the information you provided, it is a red herring.
After all, if we accept Houseparty as a valid explanation in your case, then we must also accept the explanation that *for every other person who has ever received an unexpected “password reset” email* (and that includes me, along with perhaps millions of other people in the last few years) the app they installed most recently before it happened is somehow to blame. And therefore, in the interest of fairness and good science, we must spread the blame currently being heaped on Houseparty with pretty much every other app in existence if the only “proof” in the story is the order of the events.
Whenever something creepy happens to you online, there will always be one app that was the most recent you installed, one website that was the most recent you signed up for, one online store that was the most recent you shopped at, one song you listened to just before, one ad you saw last, one person who sent you the last email, one JavaScript file that just ran in your browser, one bank whose credit card you spent against most recently, and one mobile phone vendor on whose device last received a 2FA code.
The thing about so-called “coincidences” is that they happen all the time, as a matter of definition. The time to get weirded out is the day they *stop* happening, because that’s the day that the so-called “clockwork universe” has started ticking.
Nic
I recieved SMS with houseparty codes when I was not asking for them and now just recieved a ransom mail with teh password used for houseparty…. enough of an evidence
Paul Ducklin
If you just received a “porn scam” (sextortion) email with your Houseparty password in then I very strongly suspect that is because you used an old password when you set up your new Houseparty account.
I have yet to see a porn scam email where the password was *not* obtained from a data breach that happened years ago.
Mum 🌷
But if you do want to change password or delete the App big can’t remember your password – how do you do it?
Paul Ducklin
That I don’t know – I’m pretty sure you can change your password from an iPhone. Are you on Android? Anyone here know the answer?
Can you change your password from a browser, perhaps, if you’re worried someone’s got hold of it? IIRC it works in Chrome (but not in Firefox.)
Paul
you can change your password by logging out of houseparty, then when you log back in click on ‘I already have an account, then click ‘forgot my password’ it will then take you through a process to reset it to something different.
Anonymous
You go into your settings. There is a small red wheel and then goto privacy.
If you still want to use it. I suggest deleting the account and then signing up with a throwaway account and password to protect yourself
Anonymous
Where can i find settings?
Anonymous
You can use chrome to access the houseparty app and reset the password
Mike
Ok. I loaded the app on the weekend on my Pixel 4 XL. I use a password manager – KeePass to generate and store passwords. After loading HouseParty, I tried to open KeePass, instead it opens HouseParty. This happened several times. In the end I uninstalled KeePass and re -installed. Seems to be back to normal. However I’ve now removed HouseParty. I haven’t loaded any other apps on the past several months. This at least to me indicates a bug somewhere. Bugs in apps can be exploitable. Now I see a storm of complaints about it being hacked – I think they need to be taking this seriously instead of blaming people for using compromised accounts. My password is unique, hence why I use a password manager
why does it matter?
I downloaded houseparty about 2 months ago, im not even sure if this is real or not but it if it is, im very scared.
BK
Houseparty are not hacking us or using your email accounts/passwords however there must be another app or website out there doing this.
My evidence? Well I had someone log into my Spotify form Russia and France in Feb and early March yet only downloaded HP app this Saturday…the same Spotify claim that everyone seems to be shouting about
Ramases
I cannot say whether or not the fears about this app are true – BUT – I downloaded it on Sunday and within a couple of hours I was getting popups and adverts that I’d not been getting before. Furthermore, my phone stated acting erratically. Eventually I discovered that my SD card had become inaccessible too The card was about 2 years old (genuine Samsung 32Gb Evo). I checked it in my windows laptop that reported it as inaccessible. I couldn’t even format it. A second SD card inserted into the phone read fine. Reluctantly, because the phone continued to behave strangely I had to reset to factory – losing a lot of the data on my phone – and of course everything on the SD card. Now I’m not accusing the app of anything – but I’m suspicious as I’d not added any other apps or visited any “dodgy” websites ….
Paul Ducklin
From the information you’ve given about the SD card, don’t you think “there was a problem with the card” is the most likely explanation?
You put a different card in the phone and the new card worked fine. You put the suspect card in a different device and it didn’t work fine. What makes you think that the recently installed app is the most likely reason for a problem that apparently moves with the card? Surely, given the testing you did, if the app were causing the problems then you would expect the suspect card to behave fine in Windows, and the new card to behave in suspect fashion when exposed to the app?
Mahhn
I get the idea, a lot of people are going to solve this riddle quickly, as a lot of people don’t have much else to do that’s interesting, right now, at home, alone…
Anonymous
I honestly wouldn’t be surprised if there was a vulnerability in the app, for years there have been issues with epic as a whole with accounts getting hacked
Michael
People do realize that there are 1000’s of people constantly running scripts on servers to find username and passwords for spotify, netflix, minecraft, fortnite etc.. and there are sites that then sell these access for pennies. My view is while there could be a small chance there is an exploit/bug in the app (and this we have no idea if its from android or ios), its more likely to be a coincidence from a small number of people who do share the same user/pass combo and then social media just takes over with the hysteria….
Jamie
I’m wondering why they haven’t offered a headline grabbing amount as a bug bounty. Maybe it is because they are confident no evidence of a smear campaign will be found but aren’t so confident about it being bug free at present. In any event, my daughter is still using it to stay in touch with school friends but I recommend locking rooms from uninvited guests. Until we know more…
Don’t reuse passwords.
Chris
What we are seeing is either loads of coincidences, or something linked to the installation of HouseParty. My duaghter has been using HouseParty for a few days, and today, while her phone was sitting on a chair as she popped out of the room, when she came back her online banking app had been opened and 3 failed attempts at her passcode, which had then thankfully locked her account out. I don’t have any way of doing memory traces on the phone to “prove” what happened, however, her reaction has not surprisingly been to remore HouseParty as that’s the only thing new she’s been using. It’s as if installing HouseParty has also installed some way hackers can remotely operate the phone! Scary!
Leanne Garnett
I signed up to houseparty at the weekend. My Spotify account was hacked twice in the last 24 hours and apparently used in Russia Which has never happened before. I have the emails from Spotify as proof. I don’t have the same password across all accounts. I’m afraid the Houseparty app has to go!
Paul Ducklin
If you look at the sheer volume of “my Spotify account got hacked” reports so far in 2020 – try searching for “spotify account hacking” in mainstream media and on Twitter – you will notice, sadly, that it happens a lot. For everyone it ever happened to, there is “that one app I installed most recently before I got hacked.” See where this is going?
In the last week or so, the most commonly just-installed app for people who receive Spotify login warnings will almost certainly be Houseparty, so the app most likely to get the blame because it was the most recent change people remember is Houseparty. So what you have is scary, but it is still not evidence in any useful sense.
If X happened after Y, then X couldn’t have caused Y. It’s easy to assume that you can flip this around and say that if X happened before Y, then X *must have caused* Y. But that is a logical fallacy. (It’s known in the jargon as _post hoc ergo propter hoc_, which is Latin for “afterwards, therefore because of”.)
There are lots of more likely ways for a crook to acquire your Spotify psasword than via an app everyone just happens to be talking about that has never been blamed before, and all of those other reasons must be ruled out before you can be sure it was down to Houseparty – and anyway, if your Houseparty account had a different password and crooks did steal that password, how would that let them login to your Spotify account? Mobile phone apps can’t read out each other’s passwords (and if they could, that almost certainly would be a bug in Android or iOS).
The reasons that this matters are twofold: [a] the presumption of innocence is an important part of keeping society fair, and finding a reason to blame a company based on Twitter rumours is unfair and [b] if the reason for someone abusing your Spotify account is not the one you have assumed, then removing the Houseparty app will make you think you have “fixed” your security problems when you haven’t.
Chris
Paul, whilst technically I agree with the “not guilty until proven” approach, if I walk down a street I haven’t been down before and get hit by rotten vegetables being thrown at me, but can’t prove who’s doing it, I will avoid that street in future, not as a guarantee that it won’t happen again, but as it was a bad experience – see my daughter’s experience above with her online banking app opening and having 3 failed attempts ayt her passcode, while the phone was just sitting on a chair. The problem is no end users have the technical ability to “prove” if HouseParty did it, or to prove if HouseParty didn’t do it, so only way to take one possible cause out of the equation is remove the most recent change – this is standard procedure in software development, when a fault appears after a change – first thing you do is back-out that change. Yes I have no proof, but boy am I suspicious of HouseParty (or perhaps a compromised version of it).
Paul Ducklin
Your analogy simply doesn’t work – when you walk down a street *you are of necessity not in any other street* and you therefore are right to conclude that *someone in that street* threw the vegetables. Therefore if your response is to avoid that street in future because you can’t be sure which householder who did the deed, then by your analogy you should be avoiding the operating system on which this bad thing happened to your daughter, because that is the milieu in which an app was apparently subjected to remote control. Your analogy says to avoid the street precisely because you don’t know which house to blame, yet in this case you are blaming a specific app even though you admit that you don’t have any reason to suspect it more than any other.
(If the Houseparty app did not have Accessibility permissions then I am struggling to see how it could have spied on and “clicked through” to remotely control another app, as you seem to be claiming. Even in the face of an application flaw, the operating system should prevent this happening. Mobile apps do not share user IDs and operating system access permissions like they do on your laptop. Each app essentially runs as a different user. And if the app did have Accessibility permissions then I am struggling to see how it could be the legitimate version from Google Play or the Apple Store, because those versions don’t.)
Chris
OK, better analogy, I walk down a street I walk down every day, and one new person has moved into that street since I last walked down it, I get pelted with vegetables this time for the first time, and never have before. I can’t prove it was the new household, but following my other analogy with software development, what has changes? Back-out the change and see if the same problem persists.
Paul Ducklin
I’d be careful with that analogy… it feels perilously close to “oooh, there’s been a burglary – it must be the immigrants/outsiders/incomers/foreign-looking types”.
Chris
Spotify is always being hacked, doutful that is solely related to HouseParty, but it is online banking hacks I am hearing more about that are concerning me.
Paul Ducklin
If “Spotify is always being hacked”, then why are all the people dissing Houseparty not telling you to remove Spotify instead? As previous commenters have pointed out, that is a more logical conclusion than the other way around.
Think about it: if Spotify is indeed as hackable as you imply, and has been for ages, isn’t it much more more likely to be the culprit because it’s been on your phone for ages than the most recent app you installed? Why does it make more sense to blame Houseparty for hacking Spotify that the other way around.
And if “Spotify is always being hacked” then instead of saying it is probably not *solely* related to Houseparty, isn’t is more reasonable to say that it is probably not related to Houseparty in any way at all?
(To be clear, I am not suggesting that Spotify *is* always being hacked. I am just starting from your premise that it is.)
Kathryn Hall
Hi – I downloaded Houseparty with no problems from the App Store – I love it. but….. when my friend has tried to do the same she got an email saying they were from Apple saying her account had been blocked For 24 hrs and there was a button to verify her account – when she went into verify it was asking for bank details so she didn’t go ahead- plus when you read the mail the vocabulary wasn’t good which makes you think it’s not genuine. Scary when you go through the App Store for this to happen – not sure if this helps or not!
Paul Ducklin
I get emails from “the App Store” all the time giving me a button to unblock my account. And my Amazon account. And my Netflix account. And my Gmail account. And my PayPal account.
The funny thing is… I don’t have the Houseparty app. In fact, I don’t even have any of the account types I just mentioned.
So the simple truth is, you don’t have to “go through the App Store” for this to happen. What your friend has experienced is a coincidence, like seeing a white car drive past less than a minute after walking past someone wearing a white shirt.