Shipping Giant Exposed: Bluspark’s Systems Left Open to the Web

A U.S.-based shipping technology company with a deep footprint in global logistics left internal systems and customer data accessible on the open web.

Bluspark Global, which operates the Bluvoyix cargo tracking platform, exposed administrative tools, user credentials, and shipment records for months through an API that did not require authentication. The platform is used by large retailers and manufacturers to manage and monitor freight movements worldwide.

The flaws were discovered by independent researcher Eaton Zveare, who attempted to alert the company through multiple channels without success. After weeks of silence, Zveare contacted TechCrunch, which also struggled to reach Bluspark leadership.

Only after a message included a partial password pulled from the exposed system did the company respond, doing so through outside legal counsel.

By that point, data dating back to 2007 had been reachable without authorization.

Why It Matters: Modern shipping depends on shared software platforms that connect carriers, vendors, and retailers. When one of those platforms is left exposed, the impact extends well beyond the vendor itself. In this case, unauthenticated access created a path into systems tied to real shipments and real customers, with limited visibility into what may have been accessed.

• Multiple Vulnerabilities Across the Platform: Bluspark’s shipping platform exposed several weaknesses at once. An unsecured API allowed anyone to view internal documentation listing available commands, including those intended for employees and administrators. The same interface could be used to pull user records and shipment data without any form of login or verification. The exposure reached production systems used by customers every day.

• Plaintext Passwords and Administrative Access: The exposed data included usernames and passwords stored in readable text, rather than being encrypted or hashed. Among these was an account tied to administrative privileges. Using the API’s own functions, Zveare was able to create a new administrator-level user and gain full access to the Bluvoyix platform. That access made it possible to view customer shipment histories stretching back nearly twenty years, along with other sensitive operational data.

• Researcher Faced Weeks of Silence: After discovering the flaws, Zveare attempted responsible disclosure by submitting details through the Maritime Hacking Village, a nonprofit that helps coordinate security reporting in the shipping industry. He also tried direct outreach through emails, voicemails, and LinkedIn messages. None received a response. During this period, the exposed systems remained accessible, increasing the window during which others could have found and abused the same weaknesses.

• Media Involvement Triggered Legal Response: TechCrunch contacted Bluspark leadership multiple times to flag the security lapse and received no reply. On a third attempt, the outlet included part of the CEO’s exposed password to demonstrate the severity of the issue. Within hours, Bluspark responded through a law firm. The company later said it had addressed the flaws and was seeking an outside assessment, though it did not share details about the fixes or the firm involved.

• No Evidence of Exploitation: Bluspark said it had found no indication that the exposed systems were used maliciously. The company did not explain what logs or data were reviewed to reach that conclusion, nor did it say whether customer shipments were checked for manipulation. It also declined to discuss how long the systems had been exposed or whether customers were notified directly about the issue.

Go Deeper -> US cargo tech company publicly exposed its shipping systems and customer data to the web – TechCrunch