BBC News online addresses the widely circulating rumours that Houseparty is hacking users’ accounts. The article also discusses the claim by the US firm’s owner Epic Games that a ‘malicious actor’ is behind the rumours.
Truth or rumours?
SureCloud’s Principal Cybersecurity Consultant Elliott Thompson explains that there is a consensus in the information security world that it’s highly unlikely that the app is actively breaking into people’s other accounts, since the nature of this incident isn’t consistent with usual cyber-criminality.
Normally when a cyber-crime group breaches a company or downloads a user account database, the data is sold at a high price and used very carefully. If a scam group had purchased the data, it wouldn’t make financial sense to burn it by trying to steal accounts for streaming services. Similarly, if the breach was widely available, it would typically appear on public forums and we’ve not seen anything like that.
Houseparty has also Tweeted stating they believe that the rumours about hacking were deliberately fabricated to make Houseparty look bad and stating there is a $1 million bounty for proof.
“The company responsible for Houseparty has strongly denied that there has been a breach, but that is not always a reliable indication. Back in 2018, British Airways initially denied a breach which later turned out to be real.”- Elliott Thompson – SureCloud’s Principal Cybersecurity Consultant
A third possibility
Houseparty may not be the victim of a smear campaign or a rogue app, but Elliott explains that there is a third possibility. Houseparty is a relatively new service with fast servers and a large number of users. This means hackers might be leveraging these fast servers to ‘clean’ data from other breaches. For example, the LinkedIn data breach from 2012 is freely available, but the data is also stale and almost worthless. If Houseparty doesn’t prevent bulk login attempts, hackers could use the 2012 LinkedIn data, to reduce their list to a much smaller, but much more ‘fresh’ dataset.
With this smaller set, trying to login to streaming services has a much smaller chance of getting them caught, and with ‘zero cost’ to the hacker, selling stolen streaming accounts is likely to make them enough money to justify it. Although this doesn’t mean that Houseparty is being used in this way, it is one possible explanation for why so many people have reported their streaming accounts being breached shortly after installing the app.
You can read Elliott’s comments in the full BBC article here: “Houseparty: How safe is Epic Games’ video chat app?”
If you have any questions during this quarantine time, please email services@surecloud.com.
About Elliott
Elliott Thompson OSCP, CTL/CCT-APP, one of SureCloud’s senior security consultants, delivers on a variety of large and unusual pen-testing engagements. Elliott engages targets throughout Europe, Asia, and the Middle East through infrastructure testing and reverse engineering to physical, social engineering and red teaming. Elliott has also appeared on the BBC as a Cybersecurity expert, is a CVE identifier, CHECK Team Leader and CREST Registered Tester.
About SureCloud
SureCloud is a provider of Gartner recognised GRC software and Cyber & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling a seamless integration of information, taking your risk programmes to the next level.