Confusion, log-ins from Russia and suspicious bank transfers
is ‘Houseparty’ to blame for the recent spate of hacks?
Alison Whan had nothing to do on a Sunday afternoon.
With the coronavirus pandemic sweeping through Australia, the Victorian found herself self-isolating at home. Hearing of a new app, Houseparty, Alison downloaded the popular video-chat program and spent the night talking with her friends.
But just two days later she deleted the app. She’d only made that one video call.
Alison woke on a Wednesday morning to find weird bank transactions in her bank account. The transactions were from Google and have since disappeared.
Unsure where the transactions came from, Alison changed her bank account and credit card details in an attempt to stay secure.
In the past few weeks, Houseparty has been accused of causing users to experience hacking on numerous accounts. Victims have stated their Spotify, email, Google, Instagram and bank accounts have been hacked.
Houseparty spokespeople have denied any involvement with these breaches. In a tweet issued by Houseparty on March 31, the app assured users “the service is secure, has never been compromised, and doesn’t collect passwords for other sites”. They even offered a one-million-dollar bounty for civilians who can find the source of this alleged misinformation being lodged against them.
After hearing this outright denial, Alison is unsure about what caused the suspicious bank activity.
“It’s really hard to tell if it’s connected or not,” she said. “But the experience certainly did make me stop and think, and not just blindly download stuff because other people were doing it.”
Alison changed her passwords and switched to using Zoom. She feels fortunate she is “not really a big app user anyway”, as this experience has made her realise the dangers of online communication tools.
“Even my work is realising now that in using these things we’re opening ourselves up to cyber-crime,” she said. “You can’t just use these things for the sake of convenience, you have to do your due diligence.” At Victoria University where Alison works, employees now have to put in a password to access meetings on Zoom.
Alison was lucky to avoid any long-lasting damage. But others haven’t been as fortunate. A Twitter user by the name of Sarah tweeted a suspicious text message she received from Houseparty, who told her they had stopped a postal delivery for her and required her to pay for extra packaging. Although the app has said there have been no breaches, users throughout the country have begun to see weird activity.
There has been no definitive proof of where these hacking attempts are coming from, and no evidence to blame Houseparty. There’s only inferences, and a belief dictated by other victims of hacking that views Houseparty as guilty due to the timing of these breaches in relation to downloading the app.
Looking into Houseparty’s automatic data collection policy, there are causes for concern for all social media users. In the fine print of its privacy policy, Houseparty states it may collect certain information like “your zip code and state”, “what site you came from, or what site you visit when you leave us”, “your mobile carrier” and “information about your friends, like their phone numbers and addresses”. This information may then be “processed and stored within the United States”.
Basically, the app can use your phone to see where you are, what you are doing online and what it all means. It may be standard for social media enterprises, but it also gives potential hackers plenty of scope for finding account details of users.
However, a BBC article investigating the data breaches has revealed security experts find nothing extraordinary standing out when looking into the hacks. In fact, Lukas Stefanko from Eset struggled to find any suspicious use of data from the app.
“The permissions don’t ring any privacy alarm bells for me,” he said in the article.
The breach also has no inkling of cyber-criminality to it, as the misused data has not been openly shared onto public forums.
University student Sam Black also had some of her accounts hacked into.
Just days after downloading Houseparty, Sam received an email from Spotify saying there was a new log in to her account from Russia. Then, her Google account informed her of a “suspicious attempt to sign in from a less secure app” in Irkutsk, Russia. Since receiving these emails, Sam has also seen others getting similar messages from different locations.
“I’ve seen a few people get hacked from other places so I don’t think it’s just coming from Russia, which is strange,” Sam said.
Much like Alison and other hacked Houseparty users, Sam is unsure as to where the hacks are stemming from. But it has also turned her off the app.
“I actually have no idea what’s causing the hacks,” Sam said. “It makes sense if it’s Houseparty because everyone got hacked around the time they downloaded the app, but they’re denying it so I have no clue who is to blame.”
“I definitely won’t be downloading Houseparty again unless they can properly prove it’s not them.”
Until there is evidence to trace back where the hacking has originated from, Houseparty can’t be held responsible for any of the suspicious emails or bank transfers being sent to many recent users of the app. But that won’t stop sufferers from deleting the app and finding other ways to communicate, as the open-ended data collection policy gives no reason for Alison or Sam to risk their accounts again.
Read Sean’s first story on the Houseparty hacking allegations here.