Around 30 March, a flood of social media posts blamed one of the most popular video chat apps of the moment, Houseparty, for a wave hacks that supposedly exposed users' Spotify, Snapchat and online banking data. The problem is, there's wasn't really any concrete evidence to back up these accusations.
Users reported attempted logins across a myriad of other services, as well as attempted and successful payments using their banking and PayPal accounts, without their consent. Fingers were pointed at the newly-downloaded Houseparty app, which is currently experiencing a huge influx of new users as a result of the societal effects of the global COVID-19 pandemic.
Was Houseparty ever really hacked?
We reached out to the company, asking whether any of their systems had been compromised and whether any user data had been leaked or used to gain access to other accounts or services. Within a day, a company spokesperson responded saying, "We’ve found no evidence to suggest a link between Houseparty and the compromises of other unrelated accounts."
The company also published a number of tweets addressing the validity of the allegations, stating that their service had "never been compromised" and that Houseparty doesn’t collect passwords for other sites, either.
All Houseparty accounts are safe - the service is secure, has never been compromised, and doesn’t collect passwords for other sites.— Houseparty (@houseparty) March 30, 2020
The tweets proceeded to make mention of a potential "paid smear campaign" serving as the root cause of the hacking rumours and rather brazenly issued a $1M bounty to anyone who could name the source of said campaign and provide proof.
We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to [email protected]— Houseparty (@houseparty) March 31, 2020
The statement we were issued also highlighted a lack of credible sources in relation to the original accusatory tweets and social media posts against Houseparty. "Our investigation found that many of the original tweets spreading this claim [claims of hacking] have been deleted and we've noticed Twitter accounts suspended. It's a disheartening situation for a service like ours that’s bringing people much needed face-to-face social connections and empathy at a critical time."
With the origins of the hacking allegations apparently nonexistent or debunked, it seems fair to say that Houseparty's servers were never compromised and user data was never at risk. That said, it's still important to understand what user data Houseparty can store, utilise and share, based on its terms and conditions.
Is Housparty secure?
While the app may be free to sign up to and use, UK-based data specialists, Reincubate, dug into Houseparty's terms of service to see what it can legally do with anything you grant it access to.
While the offer of a million dollars is an enticing prospect in order to pin down the source of some bad publicity, it isn't exactly a by-the-book solution, with Reincubate's report suggesting that Houseparty should instead be encouraging the "discovery and resolution of real security problems".
There's also the matter of content ownership, with Houseparty claiming "free use for any purpose of user content sent through their [sic] system" - a markedly different stance compared to other similar services out there.
It seems that while Houseparty remains secure, its policies need to be brought in line with European data protection laws to better protect users going forward.