GPS tracking firm Hapn is exposing the names of thousands of its customers due to a website bug, TechCrunch has learned.
A security researcher alerted TechCrunch in late November to customer names and affiliations — such as the name of their workplace — spilling from one of Hapn’s servers, which TechCrunch has seen.
Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices, which can be attached to vehicles or other equipment. The company also sells GPS trackers to consumers under its Spytec brand, which rely on the Hapn app for tracking. Spytec touts its GPS devices for tracking the locations of valuable possessions, and “loved ones.” According to its website, Hapn claims to track more than 460,000 devices, and counts customers within the Fortune 500.
The bug allows anyone to log in with a Hapn account to view the exposed data using the developer tools in their web browser.
The exposed data contains information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. The exposed data does not include location data, but thousands of records contain the names and business affiliations of customers who own, or are tracked by, the GPS trackers.
Hapn has not responded to multiple emails from TechCrunch. The customer names remain exposed at the time of writing.
Several emails to Hapn CEO Joe Besdin went unreturned. A message sent to an email address listed on the company’s privacy policy returned with a bounce error, saying that the email address does not exist. The company does not have a webpage or form for reporting security vulnerabilities.
When we contacted individuals whose names and affiliations were listed in the exposed data, several people confirmed their names and workplaces but declined to discuss their use of the GPS tracker. One company listed on Hapn’s website as a corporate customer had several trackers listed in the exposed data, TechCrunch has seen.
The security researcher said they began looking into the GPS tracker after finding that customers had left online reviews for the devices recommending the tracker for monitoring a person’s spouse or partner. (TechCrunch has seen dozens of reviews on Spytec’s online stores from customers who claim to have used the GPS devices to track their spouses.)
The list of exposed customer records also show thousands of trackers with associated names but no other discernible affiliation. It’s not known if the individuals are aware of having been tracked.