GPS tracking company Hapn has revealed the names of thousands of its customers due to a bug on its website, TechCrunch has learned.
Security researchers alerted TechCrunch in late November about customer names and affiliations (including work names) that had been leaked from one of Hapn's servers, and TechCrunch confirmed it.
Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices that can be attached to vehicles and other equipment. The company also sells GPS trackers to consumers under the Spytec brand that use the Hapn app for tracking. Spytec promotes GPS devices for tracking the location of valuable possessions and “loved ones.” According to the company's website, Hapn tracks more than 460,000 devices and claims to count customers among the Fortune 500.
This bug allows anyone to log in with their Hapn account and view published data using their web browser's developer tools.
The published data includes information about more than 8,600 GPS trackers, including the IMEI number of each tracker's SIM card, which uniquely identifies each device. The published data does not include location data, but thousands of records include the names and corporate affiliations of customers who own or are tracked by GPS trackers.
Hapn has not responded to multiple emails from TechCrunch. Customer names remain public at the time of writing.
Several emails sent to Hapn CEO Joe Besdin were not returned. When I sent a message to the email address listed in the company's privacy policy, I received a bounce error stating that the email address does not exist. The company does not have a web page or form to report security vulnerabilities.
When contacted, several individuals whose names and affiliations appear in the leaked data confirmed their names and workplaces, but declined to discuss their use of GPS trackers. According to an investigation by TechCrunch, one company listed as a business customer on Hapn's website had multiple trackers listed in its leaked data.
The security researcher said he began investigating GPS trackers after discovering that customers were leaving online reviews of the device recommending the tracker to monitor a spouse or partner. (TechCrunch has reviewed dozens of reviews on Spytec's online store from customers who claim to have used GPS devices to track their spouses.)
The list of published customer records also shows thousands of trackers with related names but no other discernible affiliations. It is unclear whether the individuals are aware that they are being followed.