A critical website bug has been discovered in GPS tracking firm Hapn, exposing the names of thousands of its customers, including their workplaces and affiliations. The security vulnerability, reported to TechCrunch in late November, allows anyone to log in with a Hapn account and view the exposed data using developer tools in their web browser.

Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices, which can be attached to vehicles or other equipment. The company also sells GPS trackers to consumers under its Spytec brand, which rely on the Hapn app for tracking. According to its website, Hapn claims to track more than 460,000 devices and counts customers within the Fortune 500.

The exposed data contains information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. Although the exposed data does not include location data, thousands of records contain the names and business affiliations of customers who own, or are tracked by, the GPS trackers.

Despite multiple attempts to contact Hapn, the company has not responded to emails from TechCrunch, and the customer names remain exposed at the time of writing. Several emails to Hapn CEO Joe Besdin went unreturned, and a message sent to an email address listed on the company's privacy policy returned with a bounce error, saying that the email address does not exist.

The lack of response from Hapn is concerning, especially given the company's lack of a webpage or form for reporting security vulnerabilities. This oversight makes it difficult for security researchers to report vulnerabilities, potentially putting customers' data at risk.

The security researcher who discovered the bug began investigating Hapn after finding online reviews from customers who claimed to have used the GPS devices to track their spouses or partners. This raises serious concerns about privacy and the potential misuse of GPS tracking devices.

When contacted, individuals whose names and affiliations were listed in the exposed data confirmed their names and workplaces but declined to discuss their use of the GPS tracker. One company listed on Hapn's website as a corporate customer had several trackers listed in the exposed data, highlighting the potential scope of the issue.

The exposed customer records also show thousands of trackers with associated names but no other discernible affiliation. It's unclear whether these individuals are aware that they are being tracked, raising further concerns about privacy and consent.

The incident serves as a stark reminder of the importance of robust security measures and responsible data handling practices. As GPS tracking technology becomes increasingly prevalent, companies like Hapn must prioritize the protection of their customers' sensitive information.

In the wake of this incident, it's essential for Hapn to take immediate action to rectify the situation, notify affected customers, and implement measures to prevent similar breaches in the future. The company's silence and lack of transparency are unacceptable and may lead to a loss of trust among its customers and the wider public.

As the use of GPS tracking devices continues to grow, this incident highlights the need for greater accountability and oversight in the industry. It's crucial for companies to prioritize customer privacy and security, and for regulators to ensure that these companies are held to the highest standards of data protection.