image

On the evening of January 30th, I checked my phone one last time before going to bed as we millennials do to simulate waking up with a hangover. Tweets started showing up on my feed about a hack related to Houseparty. I notified Karim Rahal and Karel Knibbe that what was unfolding on Twitter could be something we could look into the next day. At first, we did not think much of it but agreed it would be interesting to explore further.

The next morning I woke up to a BBC News headline, “Houseparty offers $1m reward for proof of sabotage”. The story suddenly started to feel like a big deal.

My inbox lit up with messages from Karel and Karim. We began to dream of all the things we could do with $1'000'000. I could upgrade my car with Gerben Javado, Karel would be able to invest more in Tesla stocks, and Karim could finally fix his gambling addiction.

With a bright future in sight, the three of us set off on a journey to determine: who hacked Houseparty?

The Investigation

To paint a better picture of what was unfolding, the team analysed 8000+ tweets containing the keywords: hack, hacked, hacking, delete, phishing, bank, spotify, netflix, hijack, hijacked, stole, money.

Among these tweets were 500+ images from which we sieved out dates as well as affected email addresses. Upon further inspection, we found the emails in many data breaches: Canva, Collection #1, Exploit.In, iMesh, MySpace, Edmodo, Straffic, River City Media Spam List, 8fit, MyFitnessPal. Even worse, many breaches contained the same emails.

image

These email notifications also included the location from which the login attempt had been made. The location data and timestamps indicated a potential mass-credential stuffing attack had taken place:

Time of Login AttemptLocation of Login Attempt
22 Mar 2020 02:04:29 CESTRussia
22 Mar 2020 17:58:45 CESTRussia
23 Mar 2020 15:19:44 CESTRussia
23 Mar 2020 16:13:45 CESTRussia
23 Mar 2020 16:46:10 CESTRussia
23 Mar 2020 17:18:42 CESTRussia
23 Mar 2020 22:24:38 CESTRussia
24 Mar 2020 00:45:21 CESTRussia
25 Mar 2020 01:52:38 CESTRussia
25 Mar 2020 01:56:56 CESTRussia
25 Mar 2020 17:54:33 CESTRussia

We also plotted the tweets’ timestamps which helped us analyse the start and epicentre of the campaign:

image

Surprisingly, the first known tweet mentioning Houseparty and a hack did not appear to have had an impact on the graph.

So @houseparty isn’t secure, friend just had their Facebook account hacked after using it

— REDACTED1 (@REDACTED1) March 24, 2020

To find the tweets that caused the wave of reports, we narrowed down our search to 13:00-14:00 CEST. By doing this, we discovered Scottish user @REDACTED2 had gained a lot of likes and retweets on a tweet that was then subsequently deleted. Other tweets around the same time, for instance by @REDACTED3, were also from Scotland. With no evidence, their tweets claimed that they had been hacked by installing Houseparty. Later, after having deleted their tweet, @REDACTED2 tweeted out the same message again:

Acc freaking out I’ve had people from Israel, Russia and Us trying to hack my Spotify and PayPal after seeing that hacking tweet about Houseparty, deleting it ASAP

— REDACTED2 (@REDACTED2) March 24, 2020

The peak was instigated by other things too. For one, users searched for login notifications from Spotify and other services. This was discovered by the common occurrence of highlighted search terms in screenshots:

Additionally, another controversy occurred when users tried to delete their Houseparty accounts: Android users did not have the delete account feature, and their only option was to email Houseparty’s support. Unfortunately, the support email had stopped working, further feeding the peak:

Yet, this was not enough to understand the source of the trend: the location was also important. Based on geographical data from the 8000 tweet authors, we believed that the news first broke out in the United Kingdom, and the rumours mainly appeared to have spread among British users. If a data breach had occurred in Houseparty, it would have been odd for only a specific demographic of people to be targeted.

We checked other popular social media platforms and could not find anything older than the activity we had seen on Twitter. Most platforms were directly referencing tweets.

Contacting Houseparty

Once we completed the investigation, it was time to contact Houseparty. In the original Twitter announcement, Houseparty had requested participants contact them via [email protected]. However, due to the tweet going viral, this seemed like whispering in a club.

We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to [email protected].

Houseparty (@houseparty)

This is where Troy Hunt came to our rescue. Troy had a contact at Epic Games who we shall refer to as James for the rest of this story.

Hey Ed,

Troy Hunt contacted us and mentioned that you had some information that you wanted to share with us. I work on Epic’s security team under the directory. Please feel free to share any information with me.

This was our moment to shine! We emailed James with all the information we had gathered and our thoughts on the results. James responded the next day:

I really appreciate the assist. We had some speculation and your information helped confirm that we were wishing for a trend that didn’t exist. […] Can you send me your address? I would like to have our marketing team send you guys a thank you. Thanks again.

They were going to deliver the $1'000'000 bounty straight to our doorstep?! Dreams started to flicker before our eyes again. $1'000'000 was going to be life-changing.

Two weeks went by and no sign from Epic Games…

Just wanted to let you know that you are not forgotten. I wanted to send you guys some swag but in talking with that team, they mentioned that most of the factories are shutdown due to the virus.

Wait … what … disc scratch … Fortnite swag?!

Not what we were hoping for, but some of us would have settled for that. To be fair, we suspected that the million-dollar bounty was out of the question since we did not provide evidence proving a smear campaign: we found strong evidence to suggest this was merely a hoax. Although this was never officially communicated back to us by Epic Games.

Unfortunately, we lost all contact soon after: we waited months but did not hear back. At that point, I gave up on a new car, Karel on his Fortnite t-shirt dreams, and Karim, well, on his poker chips.


To end this blog post: it is not my intention to make this a hit-piece against Epic Games. This is a story Karim, Karel, and I have told friends over drinks and it got to the point where we eventually decided it would be fun to share the story in the form of a blog post. We have no harsh feelings towards Epic Games or anyone involved in this story.

I would like to thank @ElSec_, @katy89164987, and Danyal Sharif for reviewing this blog post prior to publication.