Tracker firm Hapn leaks data of thousands of customers
Learn More
A security researcher discovered and reported a data leak at Hapn (formerly known as Spytec), a GPS tracking company, in late November 2024. The company provides GPS tracking devices and software for monitoring vehicles and equipment, was leaking sensitive customer information through a website vulnerability.
Hapn claims to have over 460,000 active devices and counts Fortune 500 companies among its customers. Customer reviews indicate that some users employ these devices to track spouses or partners without their knowledge.
The security flaw allowed anyone with a Hapn account to access exposed data through web browser developer tools. The exposed information included:
- Over 8,600 GPS tracker details
- IMEI numbers for tracker SIM cards
- Customer names
- Workplace affiliations and business relationships
- No location data was exposed in this breach
Initial attempts to responsibly disclose the vulnerability were unsuccessful. Multiple emails sent to Hapn's went unanswered, and some bounced back due to non-existent email addresses. The company lacked a dedicated security vulnerability reporting mechanism, complicating the disclosure process.
After public disclosure by TechCrunch, Hapn's CEO and co-founder Joseph Besdin responded on December 20, 2024, stating that the exposure was limited to historical data from April 2024 and affected only three customer accounts. He confirmed that the security issue has been resolved and additional safeguards implemented. The company is reportedly in direct communication with the affected customers.
TechCrunch verified the authenticity of the exposed data by contacting several individuals listed in the dataset, who confirmed their personal information was accurate.
