Hapn GPS Tracking Customer Data Breach

Hapn Customer Data Exposure

A website vulnerability at GPS tracking firm Hapn resulted in the unintentional disclosure of customer information, as discovered by TechCrunch.

Details of the Data Leak

A security researcher initially alerted TechCrunch in late November regarding the exposure. The researcher identified customer names and associated details, such as their employers, being accessible from one of Hapn’s servers. TechCrunch independently verified this finding.

Hapn, previously operating under the name Spytec, provides services enabling remote monitoring of GPS tracking devices. These devices can be affixed to vehicles or other assets. The company also markets GPS trackers directly to consumers under the Spytec brand, utilizing the Hapn application for tracking functionality.

Hapn’s Services and Customer Base

Spytec promotes its GPS devices as a means to monitor valuable property and “family members.” Hapn’s website states that the company currently tracks over 460,000 devices and serves clients within the Fortune 500.

The vulnerability permitted access to the exposed data by simply logging in with any Hapn account and utilizing the developer tools within a web browser.

Scope of the Exposed Information

The compromised data encompassed details on more than 8,600 GPS trackers, including the unique IMEI numbers of the SIM cards within each device. While real-time location data was not included in the breach, thousands of records contained the names and professional affiliations of individuals who either own or are monitored by these trackers.

Hapn’s Response and Lack of Communication

Multiple attempts to contact Hapn were made by TechCrunch. However, several emails sent to CEO Joe Besdin remained unanswered before this report was published.

Furthermore, a message directed to the email address listed in the company’s privacy policy resulted in a delivery failure, indicating the address’s non-existence. Hapn does not provide a dedicated web page or form for reporting security vulnerabilities.

Post-Publication Response from Hapn

Following publication, Hapn CEO Joe Besdin communicated with TechCrunch, stating the company was unaware of the exposure prior to being informed. He asserted that the affected data was limited to three customer accounts, each managing a substantial number of trackers, and related to data from April 2024.

Besdin confirmed that the security issue has since been resolved.

Verification and Concerns

Individuals identified in the exposed data were contacted; several confirmed their names and workplaces but declined to elaborate on their use of the GPS tracker.

TechCrunch observed that one company listed as a Hapn corporate customer had multiple trackers present in the exposed data.

Ethical Considerations and Tracker Usage

The initial investigation was prompted by a security researcher who noted online reviews recommending the trackers for monitoring spouses or partners. Numerous reviews on Spytec’s online stores corroborate claims of customers utilizing the devices for this purpose.

The exposed records also included thousands of trackers associated with names but lacking any discernible affiliation, raising questions about whether these individuals were aware of being tracked.

This article has been updated to include a comment received from Hapn after initial publication.