- A security researcher found Hapn website is spilling sensitive information
- The data includes people’s names and business affiliation
- No location data was leaked, but the company is remaining quiet for now
Hapn, a company that sells GPS tracking hardware and software, is reportedly spilling sensitive user information online.
In late November 2024, a security researcher reached out to TechCrunch, saying they observed a bug in Hapn’s website, which allows malicious actors to view the exposed data using the developer tools in the web browser.
The data being exposed apparently includes customer names, and the names of their workplace. It also includes data on more than 8,600 GPS trackers, and IMEI numbers for their SIM cards. Location data is not included, though. TechCrunch analyzed some of the data, and even reached out to a few people whose names were found in the leaked data, and confirmed the information is correct.
No response
Hapn is used by both commercial entities, and individuals, with the company advertising its tools as means of tracking valuables and loved ones, and claims there are more than 460,000 active devices, with customers reportedly including some Fortune 500 companies.
Tracking services are always a sensitive topic, whether they are hardware, or software-based, since in many instances, they are abused to spy on people and track their location without consent or knowledge.
Misconfigured databases, website bugs, and other errors, can happen to anyone. How the companies respond to being notified is what matters, and in this case, it seems that Hapn failed. TechCrunch says “several emails” to the CEO went unreturned, and some even bounced with an error message that the address is non-existent.
“The company does not have a web page or form for reporting security vulnerabilities,” the publication added.
We have reached out to Hapn anyway, and will update this article if we hear back from the company.
Edit, December 20 – We have heard back from Hapn CEO and co-founder, Joseph Besdin, who told us that the exposure was limited to historical data from April 2024, and that it only affected three customer accounts.
The issue has been fully resolved, he added.
“We take security extremely seriously and have already implemented additional safeguards. We’re in direct communication with the affected customers as well,” Besdin concluded.
Via TechCrunch
- Popular astrology app leak exposes data on millions of users — find out if you’re affected
- Here’s a list of the best antivirus
- These are the best endpoint protection tools right now