Video chat app Houseparty offers $1 million reward over hacking claims

(Reuters) - Group video chat app Houseparty offered a reward of $1 million for evidence of what it said was a smear campaign against the company as it fought to quash claims that the app was stealing data from others installed on the same smartphone.

Hundreds of tweets have surfaced in the last two days, claiming that Spotify, Snapchat and other accounts on people’s phones were hacked after they downloaded the Houseparty app, which was acquired by Fortnite-maker Epic Games last June.

“Our investigation found that many of the original tweets spreading this claim have been deleted and we’ve noticed Twitter accounts suspended,” said Nick Chester, spokesperson for Epic Games, after the company noticed the tweets on Monday morning.

Houseparty, which saw an average daily download of about 278,606 in March as per Reuters’ calculations based on data from analytics firm Apptopia, has denied hacking claims.

“All Houseparty accounts are safe - the service is secure, has never been compromised, and doesn’t collect passwords for other sites,” Houseparty said in a tweet.

“We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to”

The app was currently featured on the list of the most downloaded apps on Google’s Play store and Apple’s App store.

Due to lockdowns enforced in several countries to contain the spread of coronavirus, people working from home are using more video and chat apps such as Houseparty, Zoom and Microsoft’s Teams.

Apple and Google did not immediately respond to requests for comment.

Cybersecurity expert Graham Cluley said no legitimate computer security firm had confirmed that there was a problem with Houseparty.

“The fact that you installed Houseparty and then your Spotify account was breached may be entirely and utterly unconnected,” he said.

“Hackers use credential stuffing attacks, using passwords scooped up from previous security breaches, all the time in an attempt to break into accounts.”

Reporting by Supantha Mukherjee and Ayanti Bera in Bengaluru; additional reporting by Ismail Shakil; Editing by Anil D’Silva and Shinjini Ganguli