Late Tuesday night, the group video chat app Houseparty tweeted a bizarre statement:
Houseparty has seen a surge in popularity in the last few weeks as people are staying inside and want a way to hang out with their friends. But in the last few days, there have been tweets from people who claimed their other accounts — including Spotify, PayPal, and Netflix — had been hacked after installing Houseparty. They blamed Houseparty for it.
Houseparty denied that it was either hacking people’s accounts or that hackers were using it to enter people's accounts. “We’ve found no evidence to suggest a link between Houseparty and the compromises of other unrelated accounts,” Houseparty’s reps said in a statement.
That was strange, but what was stranger still was the company’s claim that some entity was making up false rumors on social media about hacking it as part of a paid, targeted smear campaign.
Let's start with what we do know.
There’s little logical reason for Houseparty to want to hack your Spotify (or any other account, for that matter). The app has been around for a few years and was acquired this summer by Epic Games, the company behind Fortnite.
But what if Houseparty were hacked, leaking passwords that hackers could use to log into your other accounts (because you’re a normal person who uses the same password for multiple apps)? Well that seems possible. Except that Houseparty insists this wasn't the case — it said it saw no evidence of any sort of password or user data breach.
A spokesperson for PayPal confirmed to BuzzFeed News that it had not seen any user issues related to Houseparty, and that its user accounts remained secure. Even if Houseparty had leaked passwords, PayPal has other safeguards in place for accounts that would prevent malicious logins.
Similarly, a Spotify spokesperson said it had not seen unusual activity.
So what actually happened?
There’s always some ambient level of phishing and hacking attempts going on at all times, and one likely explanation is that a few people noticed it and assumed (wrongly) that it had to do with that new app they just installed, which in this case was Houseparty. The two things may have happened at the same time, but the one didn't cause the other. It’s a good reminder to do a security checkup for yourself (are you using a password manager, two-factor authentication, and strong, unique passwords?), but otherwise, eh.
The rumor seems to be largely based in the UK. What’s odd is that a lot of the tweets from people who claim to be hacked are from, uh, beautiful women. Now, this is not to say that beautiful women don’t care about infosec, but if that’s the only demographic claiming to have knowledge of a hack, that does seem perhaps botlike, as if it were coming from a commercial smear operation.
However, two of these hot British women responded to DMs from BuzzFeed News and spoke about their experience, and didn't seem to be bots or trolls. The Twitter accounts for several other women also lacked indications that they were bots — the accounts were created at different times, some over 5 years ago, and posted regular conversational tweets and even real photos of themselves that matched the avatars. They seemed to be, well, real, hot women.
One woman, Molly Brammall, who tweeted about Houseparty hacking her told BuzzFeed News that several of her accounts were compromised. However, it appears that she was the victim of a standard phishing attempt (which isn’t exactly “hacking”), with no clear connection to Houseparty.
“So initially I got sent a false Spotify email which I logged into to see what was going on, allowing the hacker to retrieve my password (stupidly my password for quite a lot of things),” she told BuzzFeed News. “They got into my Instagram and changed my password, my email linked to my account, my username and they removed my phone number. I could only login through Facebook which allowed me to see all this activity and the location of the hacker (Russia).”
Hannah Johnson also believed that Houseparty was to blame for a breach into her accounts. “I downloaded [Houseparty] on the 21st and no other apps since then. On the 29th I got an email saying someone logged into my Fitbit,” she told BuzzFeed News. “It didn’t seem like me (phone or location) so they logged all accounts out, and told me to reset my password as they got into it. Then I got an email about a new login attempt to my Spotify.” Unlike Brammall, Johnson used different passwords for her Fitbit and Spotify accounts, although the same email address.
There’s often an uptick in phishing and hacking attempts during times of crisis, like now. Theresa Payton, cybersecurity expert and author of Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth, told BuzzFeed News, “Nation states, cybercrime syndicates, and lone wolf hackers always try to hide their misdeeds within the construct of today's headlines."
So was there actually a smear campaign?
Unclear, but…probably not?
Houseparty said in a statement, “our investigation found that many of the original tweets spreading this claim have been deleted and we've noticed Twitter accounts suspended.” The fact that these accounts were suspended sure makes it seem like suspicious activity.
But representatives for Twitter told BuzzFeed News, “we haven't seen any coordinated activity related to conversations about Houseparty, but are continuing to keep an eye on it.”
Ultimately, it seems like this is likely just an extremely weird tweet from Houseparty. Carry on your video chats, and please, for the love of god, get a password manager and stop reusing passwords, everyone!