Bluspark Shipping Platform Left Freight Data Exposed for Months

Security researcher Eaton Zveare reports that Bluspark Global’s Bluvoyix freight‑management platform, used by hundreds of shippers and major U.S. retailers, grocery chains and manufacturers, had basic security flaws that left decades of shipment records and customer data exposed to anyone on the internet. In October he found that a publicly accessible API, advertised as requiring authentication, in fact returned sensitive account data including plaintext passwords and allowed creation of new administrator‑level accounts, effectively giving an attacker full control of the system and access to shipment data back to 2007. Zveare says Bluspark also left security tokens easily bypassed and had no clear vulnerability‑disclosure process, forcing him to spend weeks emailing, calling and messaging on LinkedIn before he could get the company’s attention; a maritime‑security group also tried and failed to reach Bluspark before other channels finally worked. The company now says it has fixed five vulnerabilities, including the plaintext passwords and remote‑access bugs, but has not publicly detailed how long the system was exposed or whether any criminal groups exploited it, amid broader law‑enforcement concern that organized cargo‑theft rings are pivoting to hacking logistics platforms to silently reroute shipments. For U.S. supply chains already strained by theft and geopolitical risk, the case underscores how a single unprotected SaaS provider can create systemic vulnerability, and how weak disclosure practices can leave critical infrastructure open for far too long.