GPS tracking firm Hapn exposed the names of thousands of its customers due to a website bug, technewss has learned.
A security researcher alerted technewss in late November to customer names and affiliations — such as the name of their workplace — spilling from one of Hapn’s servers, which technewss has seen.
Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices, which can be attached to vehicles or other equipment. The company also sells GPS trackers to consumers under its Spytec brand, which rely on the Hapn app for tracking. Spytec touts its GPS devices for tracking the locations of valuable possessions and “loved ones.” According to its website, Hapn claims to track more than 460,000 devices and counts customers within the Fortune 500.
The bug allowed anyone to log in with a Hapn account to view the exposed data using the developer tools in their web browser.
The exposed data contained information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. The exposed data did not include location data, but thousands of records contained the names and business affiliations of customers who own, or are tracked by, the GPS trackers.
Hapn did respond to multiple emails from technewss. Several emails to Hapn CEO Joe Besdin went unreturned prior to publication. A message sent to an email address listed on the company’s privacy policy returned with a bounce error, saying that the email address does not exist. The company does not have a web page or form for reporting security vulnerabilities.
In an email provided to technewss after publication, Hapn CEO Joe Besdin said that the company had no knowledge of the exposure prior to publication and that the data was limited to three customer accounts, each with a large number of trackers. Besdin said the exposed records concerned data from April 2024.
Besdin said the security issue is resolved.
When we contacted individuals whose names and affiliations were listed in the exposed data, several people confirmed their names and workplaces but declined to discuss their use of the GPS tracker. One company listed on Hapn’s website as a corporate customer had several trackers listed in the exposed data, technewss has seen.
The security researcher said they began looking into the GPS tracker after finding that customers had left online reviews for the devices recommending the tracker for monitoring a person’s spouse or partner. (technewss has seen dozens of reviews on Spytec’s online stores from customers who claim to have used the GPS devices to track their spouses.)
The list of exposed customer records also showed thousands of trackers with associated names but no other discernible affiliation. It’s not known if the individuals are aware of having been tracked.
Updated with post-publication comment from Hapn.