Logistics Firm Bluspark Leaves Executive Passwords and Shipping Data Exposed
San Francisco, Wednesday, 14 January 2026.
Bluspark exposed global shipping data and executive passwords in plaintext, only addressing the critical lapse after a researcher proved he possessed the CEO’s credentials to the media.
A Critical Lapse in Supply Chain Security
In a startling revelation for the logistics sector, New York-based shipping technology company Bluspark Global was found to have left its internal systems wide open to the public internet [1][2]. The vulnerabilities, which plagued the company’s Bluvoyix platform, exposed sensitive customer data and shipment records dating back to 2007 [3][4]. Most alarmingly, the exposure included the storage of passwords in plaintext—unencrypted formats readable by anyone with access—including those belonging to company executives [1][5]. This lapse allowed for potential unauthorized administrative access, posing a severe risk to the supply chains of the hundreds of large companies that rely on Bluspark’s technology to track goods worldwide [5].
The Silence Before the Fix
The discovery was made in October 2025 by security researcher Eaton Zveare, who identified five distinct flaws within the platform [1][2]. Zveare initially attempted to report these critical vulnerabilities through standard channels, submitting details to the Maritime Hacking Village, a nonprofit dedicated to maritime cybersecurity [5]. Despite repeated attempts to contact Bluspark via email, voicemail, and LinkedIn over several months, the company failed to respond to the warnings [2][4]. This lack of communication highlights a broader issue in the industry regarding the absence of clear vulnerability disclosure channels, a critical defense mechanism against the rising tide of cyberattacks targeting global shipping [1][6].
Escalation Through Proof
The stalemate was only broken when the situation was escalated to the media. After failing to elicit a response on his own, Zveare contacted TechCrunch, which then reached out to Bluspark CEO Ken O’Brien [1][3]. Silence persisted until the publication sent an email containing a partial copy of the CEO’s own password to demonstrate the severity of the exposure [3][5]. It was only following this undeniable proof of compromise that the company acknowledged the issue. Attorney Ming Lee, representing Bluspark, stated on January 13, 2026, that the firm is “confident in the steps taken to mitigate potential risk arising from the researcher’s findings” [2].
Resolution and Future Security
As of this week, Bluspark confirms that the five identified flaws, including the unauthenticated API and remote access vulnerabilities, have been patched [1][3]. While the company maintains there is “no indication of customer impact or malicious activity,” they have declined to comment on whether specific shipments were manipulated during the exposure window [2]. Moving forward, Bluspark is working to retain a third-party firm for an independent security assessment and is planning to implement a formal disclosure program for security researchers to prevent future communication failures [1][5].