US-based logistics technology firm made its shipping platforms and client information accessible online

Cybersecurity Threats Target Global Shipping Industry

Over the past year, experts in cybersecurity have been warning the international shipping sector to strengthen its digital protections, following a series of cargo thefts traced back to cybercriminals. These specialists have observed sophisticated attacks on logistics providers, where hackers collaborate with organized crime groups to reroute valuable shipments, resulting in significant losses for businesses worldwide.

• A truck loaded with stolen vaping products was hijacked in one incident.
• In another case, there was a suspected theft of lobsters from a Massachusetts warehouse.

Critical Vulnerabilities Exposed in Major Shipping Software

One key U.S. technology provider in the shipping industry, Bluspark Global, recently spent several months addressing a series of basic security weaknesses that left its shipping platform exposed to the internet. These flaws made it possible for unauthorized users to access sensitive systems.

Bluspark Global, based in New York, operates the Bluvoyix platform, which enables hundreds of major corporations to manage and monitor their shipments worldwide. Although not widely recognized by the public, Bluspark plays a crucial role in facilitating global freight movement for retailers, supermarkets, furniture producers, and more. Its software is also utilized by partner organizations connected to Bluspark.

This week, Bluspark informed TechCrunch that it has resolved its security issues. The company addressed five vulnerabilities, including the use of unencrypted passwords by both staff and clients, and remote access capabilities to its shipping software. These flaws had exposed decades’ worth of customer shipment data to potential attackers.

Challenges in Reporting Security Flaws

Security researcher Eaton Zveare, who discovered the vulnerabilities in October, found it more difficult to alert Bluspark to the problems than to identify the bugs themselves, as the company lacked a clear contact method for reporting security concerns.

Zveare described how he submitted his findings to a nonprofit focused on maritime cybersecurity and facilitating responsible disclosure to affected companies.

Despite repeated attempts—including emails, voicemails, and LinkedIn messages—Zveare received no response from Bluspark, leaving the vulnerabilities unaddressed and accessible online.

As a last measure, Zveare reached out to TechCrunch for assistance in bringing attention to the issue.

TechCrunch contacted Bluspark’s CEO, Ken O’Brien, and other senior executives to notify them of the security breach, but did not receive a reply. The publication also attempted to inform a major retail client of Bluspark about the upstream security risk, but again received no response.

On the third attempt to reach Bluspark’s CEO, TechCrunch included a partial password as evidence of the breach’s seriousness.

Shortly thereafter, a law firm representing Bluspark responded to TechCrunch’s inquiry.

Unencrypted Passwords and Open API Access

Zveare’s investigation began when he visited a Bluspark client’s website and discovered a contact form that sent messages through Bluspark’s servers using their API. By examining the website’s source code, he realized the form could be manipulated to send malicious emails—such as phishing attempts—originating from a legitimate Bluspark customer.

By entering the API’s URL into his browser, Zveare accessed automatically generated documentation listing all available API commands, including those for retrieving user lists and creating new accounts.

The documentation page even allowed users to test API commands directly, and despite claims that authentication was required, Zveare found that no credentials were needed to access sensitive data from Bluspark’s servers.

Using these API commands, Zveare was able to obtain extensive user account details for both employees and clients, including usernames and passwords stored in plaintext—even for administrator accounts.

Although Zveare, as an ethical researcher, did not use these credentials, he noted that an attacker could have easily taken control of the platform. The API also permitted the creation of new administrator accounts, granting unrestricted access to the Bluvoyix system and customer data dating back to 2007.

Further analysis revealed that while API requests were supposed to be protected by user-specific tokens, these tokens were not actually required, confirming the API’s lack of authentication.

Remediation Efforts and Future Security Plans

After Bluspark’s legal representatives established contact, Zveare authorized TechCrunch to share his vulnerability report with the company. Within days, the law firm reported that most issues had been addressed and that Bluspark was seeking an independent third-party security assessment.

Zveare’s experience highlights a broader issue in cybersecurity: many organizations do not provide clear channels for reporting vulnerabilities, making it difficult for researchers to responsibly disclose active threats without risking user data exposure.

Ming Lee, Bluspark’s attorney, stated that the company is “confident in the steps taken to mitigate potential risk arising from the researcher’s findings,” but declined to discuss specific vulnerabilities, the identity of any third-party assessors, or details of the company’s security practices.

When asked whether any customer shipments had been compromised due to these vulnerabilities, Bluspark did not provide a definitive answer. Lee said there was “no indication of customer impact or malicious activity attributable to the issues identified by the researcher,” but did not elaborate on the evidence supporting this claim.

Lee also mentioned that Bluspark is considering launching a vulnerability disclosure program to allow external researchers to report security issues, though discussions are ongoing.

Bluspark CEO Ken O’Brien did not comment for this article.