- Security researchers discover Hapn website is leaking sensitive information
- Data includes person names and business relationships
- No location data leaked, but the company is silent for now
Hapn, a sales company GPS tracking Hardware and software are reportedly leaking sensitive user information online.
In late November 2024, a security researcher contacted TechCrunchsaid they discovered a bug in the Hapn website that allowed malicious actors to view exposed material using developer tools in a web browser.
The exposed data apparently included customer names and the names of their workplaces. It also includes data from more than 8,600 GPS trackers and the IMEI number of the SIM card. Location data is not included. TechCrunch analyzed some of the data and even contacted some of the people whose names were found in the leaked data, and confirmed that the information was correct.
no response
Hapn is used by commercial entities and individuals, and the company promotes its tools as a means of tracking valuables and loved ones and claims to have more than 460,000 active devices, with customers reportedly including some Fortune 500 companies.
Tracking services are always a sensitive topic, whether they are hardware or software-based, because in many cases they are misused to spy on people and track their locations without their consent or knowledge.
Database configuration errors, website errors, and other errors can happen to anyone. What matters is how a company responds to notifications, and in this case, Hapn appears to have failed. TechCrunch said “several emails” to the CEO went unanswered, and some were bounced back with an error message indicating the address did not exist.
“The company does not have a web page or form for reporting security vulnerabilities,” the publication added.
Regardless, we’ve reached out to Hapn and will update this article if we hear back from the company.
Edited on December 20 – We received a response from Hapn CEO and co-founder Joseph Besdin, who told us that the exposure was limited to historical data from April 2024 and only affected three customer accounts.
He added that the issue has been completely resolved.
“We take security issues very seriously and have implemented additional safeguards. We are also communicating directly with affected customers,” Bestin concluded.
through TechCrunch