Houseparty users are complaining on social media that they’ve been hacked, reporting that their PayPal, Netflix, Spotify, and online-banking accounts were compromised.
Several tweets, including from verified users, include screenshots of what users say are compromised accounts from Spotify and other services. These users blamed Houseparty.
However, emails from the screenshots are in-fact from scam companies pretending to be brand names like ‘Spotify’. They work by sending emails to random people saying their account is hacked and get people to click their link. When they click the link they’ll be sent to a fake website which looks like the real one to reset their password. People input their information not realising that they’re submitting it to scammers.
Houseparty has surged in popularity as a way of keeping in touch with friends and family during coronavirus restrictions around the world. The app — which offers group calling, quizzes, and games — launched in 2016 and was acquired by Epic Games in 2019. According to Apptopia data cited by VentureBeat, Houseparty’s downloads surged by 2,000% from mid-February to mid-March.
The spokeswoman added that people shouldn’t use the same username or password across different accounts, a common security mistake.
“As a general rule, we suggest all users choose strong passwords when creating online accounts on any platform,” she said. “Use a unique password for each account, and use a password generator or password manager to keep track of passwords, rather than using passwords that are short and simple.”
There isn’t any evidence that Houseparty got hacked
There is little evidence that Houseparty has in fact been hacked. It isn’t clear how users concluded that Houseparty was the reason their other accounts were compromised, except that it may be the newest service they’ve signed up for.
What’s more likely is that people are reusing credentials and passwords across different accounts. When those details are compromised and leaked or sold, hackers often try entering them across multiple services in what’s known as a “credential stuffing” attack.
Netflix and Spotify are among the top services targeted by hackersglobally. Spotify has never acknowledged a breach, but it did reset some people’s passwords in May, hinting at a credential-stuffing attempt.