Houseparty offers $1m bounty over hacking allegations

News by Mark Mayne

Popular video conferencing app offers huge bounty after series of hacking allegations hits the headlines.

Epic-Games-owned Houseparty, a video conferencing desktop and mobile application, has offered a bounty of $1 million (£800,000) in response to a flurry of hacking accusations. 

"We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a US$1,000,000 bounty for the first individual to provide proof of such a campaign to bounty@houseparty.com."

The Houseparty team was previously forced to confront the rumours with a Tweet stating that: “All Houseparty accounts are safe - the service is secure, has never been compromised, and doesn’t collect passwords for other sites”, after a string of Tweets from users claiming that other accounts (including bank accounts, Netflix, eBay, Instagram, Snapchat, Spotify and Uber) had been hacked after downloading the Houseparty app. The allegations have been widely reported in the UK tabloids, including The Sun and Mirror Online

Christoph Hebeisen, director, security intelligence research at Lookout, investigated the app and said: “There are two separate issues being discussed around House Party: First, it appears that many users are not aware of the privacy implications of how the app works and how people can "drop-in" when they don't want or expect them to.  This can obviously lead to awkward situations.

"The second issue is the assertion that third-party accounts are being "hacked" through the House Party app. These claims cover a wide variety of third-party services such as music and video streaming services as well as financial services. While there are numerous reports from users online we did not find any evidence to indicate that the HouseParty app as available from official App stores is to blame for compromises they are experiencing.”

A common issue that leads to multiple account compromises in a short time is password reuse across several services linked to the same email address - services such as https://haveibeenpwned.com/ can help identify email addresses that are at risk. 

Peter Draper, technical director EMEA at Gurucul agreed that password hygiene is a potential issue in many cases: “People need to be vigilant with their password hygiene at such a time when bad actors are trying every single angle to exploit the current situation and people's need to communicate with friends and family during lockdown. Use strong unique passwords for every app you’re using to make sure you have that extra bit of security.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews