A security researcher alerted TechCrunch in late November to a website bug that exposed the names and affiliations of thousands of customers using GPS tracking firm Hapn’s services.
What Happened?
Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices. The company sells GPS trackers to consumers under its Spytec brand, which rely on the Hapn app for tracking. According to its website, Hapn claims to track more than 460,000 devices and counts customers within the Fortune 500.
The bug allowed anyone to log in with a Hapn account to view the exposed data using the developer tools in their web browser. The exposed data contained information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. The exposed data did not include location data, but thousands of records contained the names and business affiliations of customers who own, or are tracked by, the GPS trackers.
The Exposed Data
The list of exposed customer records showed that thousands of trackers were associated with names but no other discernible affiliation. It’s unclear if the individuals are aware of having been tracked. The data was limited to three customer accounts, each with a large number of trackers. Hapn CEO Joe Besdin said in an email that the security issue is resolved.
How Did This Happen?
The security researcher who alerted TechCrunch to the bug began looking into the GPS tracker after finding online reviews from customers recommending the device for monitoring a person’s spouse or partner. The list of exposed customer records also showed thousands of trackers with associated names but no other discernible affiliation.
A Response From Hapn
When contacted by TechCrunch, several individuals whose names and affiliations were listed in the exposed data confirmed their names and workplaces but declined to discuss their use of the GPS tracker. One company listed on Hapn’s website as a corporate customer had several trackers listed in the exposed data.
Hapn CEO Joe Besdin provided an email statement after publication, stating that the company had no knowledge of the exposure prior to publication and that the security issue is resolved. However, multiple emails sent to Hapn by TechCrunch went unreturned prior to publication.
The Implications
This incident highlights the importance of website security and the potential consequences of a bug or vulnerability going undetected. The exposed data raises questions about customer consent and awareness of being tracked using GPS devices. It’s unclear if the individuals associated with the exposed trackers are aware of their locations being monitored.
The Company’s Response
In an email provided to TechCrunch, Hapn CEO Joe Besdin stated that the company had no knowledge of the exposure prior to publication and that the security issue is resolved. However, multiple emails sent to Hapn by TechCrunch went unreturned prior to publication.
What You Can Do
If you’re a customer using Hapn’s services, it’s essential to review your account settings and ensure that your data is secure. You can also consider reaching out to Hapn directly to inquire about their security measures and protocols for handling sensitive information.
Conclusion
The exposure of thousands of customers’ names and affiliations due to a website bug highlights the importance of website security and customer consent. Companies like Hapn must prioritize the security of user data and ensure that their systems are robust against vulnerabilities.
Related Articles
