US cargo tech company left shipping systems and customer data exposed online

Over the past year, security researchers have repeatedly warned that the global shipping industry needs stronger cyber defences, following a series of cargo thefts linked to hacking. Researchers say logistics firms have increasingly been targeted by coordinated cyberattacks designed to seize control of shipping systems and redirect goods, often in coordination with organised crime. Incidents have ranged from stolen vape shipments to suspected high-value seafood thefts.

One U.S.-based cargo technology company recently spent months securing its systems after discovering several basic vulnerabilities that had left its shipping platform publicly accessible online.

The company, Bluspark Global, is a New York–based firm that operates Bluvoyix, a shipping and supply chain platform used by hundreds of large companies to move goods and track cargo worldwide. While Bluspark is not a household name, its software supports a wide range of freight operations for retailers, grocery chains, furniture makers, and other significant businesses. Several affiliated companies also rely on the same platform.

Bluspark confirmed that it has since fixed five security flaws in its systems. The issues included employees and customers using plaintext passwords and unauthorised users remotely accessing and interacting with Bluvoyix’s shipping software. The vulnerabilities exposed customer shipment records dating back many years.

Security researcher Eaton Zveare, who identified the flaws in October, said alerting the company proved far more difficult than uncovering the vulnerabilities themselves. According to Zveare, Bluspark lacked a straightforward, publicly available method for reporting security issues.

In a blog post detailing his findings, Zveare said he submitted information about the vulnerabilities to the Maritime Hacking Village. This nonprofit organisation helps researchers alert companies in the maritime and logistics sectors to security risks. Despite multiple emails, phone calls, and LinkedIn messages, Bluspark did not respond for weeks, leaving the systems exposed.

After failing to get a response, Zveare contacted the media to raise awareness of the issue. Several attempts to reach Bluspark’s leadership went unanswered until a message demonstrating partial access to executive credentials prompted a response from a law firm representing the company.

Plaintext passwords and an unauthenticated API

Zveare said his investigation began while reviewing the website of a Bluspark customer. A contact form on the site routed messages through Bluspark’s servers using an API. By inspecting the website’s source code, Zveare discovered the API endpoint was publicly exposed.

The API documentation listed a wide range of actions, including viewing users and creating new accounts. Despite stating that authentication was required, the API returned sensitive data without requesting any credentials.

Using these unauthenticated requests, Zveare accessed user records containing usernames and passwords stored in plaintext, including administrator-level accounts. While he did not use the exposed credentials, Zveare found that the API allowed anyone to create a new administrator account, granting full access to the Bluvoyix platform and shipment data dating back to 2007.

Further testing showed that security tokens intended to restrict access were not required, confirming that the API lacked proper authentication controls.

Bugs fixed; the company plans to implement a new security policy.

After contact was established through Bluspark’s legal representatives, the company began addressing the vulnerabilities and said it planned to retain a third-party firm to conduct an independent security assessment.

An attorney representing Bluspark said the company is confident it has mitigated the risks identified by the researcher,r but declined to provide technical details about the fixes or name the security firm involved. The company also would not confirm whether any customer shipments had been affected, stating there was no indication of malicious activity tied to the vulnerabilities.

Bluspark said it is considering introducing a formal vulnerability disclosure program that would allow security researchers to report issues directly. Discussions around that process are ongoing.

Bluspark CEO Ken O’Brien did not provide a comment.