TechCrunch has learned that GPS tracking company Hapn is exposing the names of thousands of its customers due to a website glitch.
A security researcher alerted TechCrunch in late November that customer names and affiliations – such as the name of their workplace – were being distributed from one of Hapn's servers, which TechCrunch had seen.
Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices that can be attached to vehicles or other devices. The company also sells GPS trackers under its Spytec brand to consumers who rely on the Hapn app for tracking. Spytec advertises its GPS devices for locating valuable possessions and “dear people”. According to its website, Hapn claims to track more than 460,000 devices and counts customers in the Fortune 500.
The flaw allows anyone to log in with a Hapn account to view the exposed data using the developer tools in their web browser.
The disclosed data contains information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. The data exposed does not include location data, but thousands of records contain the names and business affiliations of customers who own or are tracked by the GPS trackers.
Hapn did not respond to multiple emails from TechCrunch. Customer names remain disclosed at the time of writing.
Several emails to Hapn CEO Joe Besdin went unanswered. A message sent to an email address listed in the company's privacy policy was returned with a bounce error stating that the email address does not exist. The company does not have a website or vulnerability reporting form.
When we contacted people whose names and affiliations were listed in the disclosed data, several people confirmed their names and jobs but declined to discuss using the GPS tracker. According to TechCrunch, a company listed as a corporate customer on Hapn's website had multiple trackers listed in the disclosed data.
The security researcher said he began investigating the GPS tracker after discovering that customers had left online reviews for the devices recommending the tracker for monitoring a person's spouse or partner. (TechCrunch has seen dozens of reviews on Spytec's online stores from customers who claim to have used the GPS devices to track their spouses.)
The list of exposed customer records also shows thousands of trackers with associated names but no apparent affiliation. It is not known whether the people were aware that they were being followed.
Comments are closed.