Top US Shipping Platform Left Customer Data Open to Hackers

Cargo theft is no longer just about stolen trucks and falsified documentation. Over the past year, security researchers have been warning that hackers are increasingly targeting the technology behind global shipping, quietly manipulating systems that move millions of dollars’ worth of goods.

In some cases, organized crime groups use hacked logistics platforms to reroute shipments, allowing criminals to steal goods without ever setting foot in a warehouse. A recent case involving a critical US shipping technology supplier shows how exposed parts of the supply chain have been and for how long.

Sign up to receive my FREE CyberGuy report Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM fact sheet

A key shipping platform was left wide open

CRIME RINGS AND HACKERS JOIN FORCES TO HICT TRUCKS NATIONWIDE, FUELING TOP SECURITY FEARS IN HOLIDAY SHIPPING

The company at the center of this incident is Bluspark Global, a New York-based company whose Bluvoyix platform is used by hundreds of companies to manage and track the transportation of goods around the world. While Bluspark is not a household name, its software supports a large portion of global shipping, including major retailers, supermarket chains, and manufacturers.

For months, Bluspark’s systems allegedly contained basic security flaws that effectively left its shipping platform exposed to anyone on the Internet. According to the company, five vulnerabilities were eventually fixed, including the use of plain text passwords and the ability to remotely access and interact with the Bluvoyix platform. These flaws could have given attackers access to decades of shipping records and customer data.

Bluspark says those issues are now resolved. But the timeline leading up to the fixes raises serious concerns about how long the platform was vulnerable and how difficult it was to alert the company in the first place.

How a researcher discovered the flaws

Security researcher Eaton Zveare discovered the vulnerabilities in October while examining a Bluspark customer’s website. What started as a routine glance at a contact form quickly escalated. Upon viewing the website’s source code, Zveare noticed that messages submitted through the form passed through Bluspark’s servers using an application programming interface, or API.

From there, things quickly fell apart. The API documentation was publicly accessible and included a built-in function that allowed anyone to test commands. Despite claiming that authentication was required, the API returned sensitive data without any login. Zveare was able to recover large amounts of user account information, including employee and customer usernames and passwords stored in plain text.

Worse yet, the API allowed the creation of new administrator-level accounts without proper checks. That meant an attacker could be granted full access to Bluvoyix and view shipping data dating back to 2007. Even security tokens designed to limit access could be bypassed entirely.

Why it took weeks to fix critical shipping security flaws

One of the most worrying parts of this story is not just the vulnerabilities themselves, but how difficult it was to fix them. Zveare spent weeks trying to contact Bluspark after discovering the flaws, sending emails, voicemails and even LinkedIn messages, without success.

Without a clear vulnerability disclosure process, Zveare ultimately turned to Maritime Hacking Village, which helps researchers notify companies in the maritime and shipping industries. When that failed, he contacted the press as a last resort.

Only after that did the company respond, through its legal advisor. Bluspark later confirmed that it had fixed the flaws and said it plans to introduce a formal vulnerability disclosure program. The company has not said whether it found evidence that attackers exploited the bugs to manipulate shipments, stating only that there was no indication of customer impact. It also declined to share details about its security practices or third-party audits.

10 Ways to Stay Safe When Cyberattacks Impact Supply Chains

Hackers can break into a shipping or logistics platform without you realizing that your data was involved. These steps will help you reduce your risk when attacks like this occur.

1) Be on the lookout for delivery scams and fake shipping notices

Following supply chain breaches, criminals often send phishing emails or text messages posing as shipping companies, retailers, or delivery services. If a message pressures you to click a link or “confirm” shipping details, slow down. Go directly to the retailer’s website instead of relying on the message.

2) Use a password manager to protect your accounts

If attackers gain access to customer databases, they often use the same login details for shopping, email, and banking accounts. A password manager ensures that each account has a unique password, so that one breach doesn’t give attackers the keys to everything else.

Next, check to see if your email has been exposed in previous breaches. Our number one password manager (see Cyberguy.com) includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com

3) Reduce your personal data exposed online

Criminals often combine data from a breach with information extracted from data broker sites. Personal data removal services can help reduce the amount of your information publicly available, making it harder for criminals to target you with compelling scams.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com

4) Run powerful antivirus software on your devices

Strong antivirus software can block malicious links, fake submission pages, and malware attachments that often follow high-profile breaches. Keeping real-time protection enabled adds an important layer when criminals try to take advantage of the confusion.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com

HUGE DATA LEAK EXPOSES 14 MILLION CUSTOMER SHIPPING RECORDS

5) Enable two-factor authentication whenever possible

Two-factor authentication (2FA) makes it much harder for attackers to take over accounts, even if they have your password. Prioritize email, purchasing accounts, cloud storage, and any services that store payment or delivery information.

6) Review your account activity and delivery history.

Check your online shopping accounts for any unknown orders, address changes, or saved payment methods you don’t recognize. Detecting changes early can prevent fraud from escalating.

7) Consider identity theft protection

Identity theft protection services can alert you to suspicious credit activity and help you recover if attackers access your name, address, or other personal data. Identity theft companies can monitor personal information such as your social security number (SSN), phone number, and email address and alert you if it is sold on the dark web or used to open an account. They can also help you freeze your bank and credit card accounts to prevent further unauthorized use by criminals.

See my tips and best options on how to protect yourself from identity theft at Cyberguy.com

8) Freeze credit for free to stop new fraud

If your name, email, or address was exposed, consider freezing your credit with the major credit bureaus. A freeze prevents criminals from opening new accounts in your name, even if they obtain additional personal data later. It’s free, easy to temporarily lift, and one of the most effective steps you can take after a violation. For more information on how to do this, go to Cyberguy.com and search “How to freeze your credit.”

9) Lock your shipping and retail accounts

Review security settings on major purchasing and delivery accounts, including retailers, grocery services, and shipping providers. Pay close attention to saved delivery addresses, default shipping locations, and linked payment methods. Sometimes attackers add their own direction silently and wait before making any moves.

10) Companies should review third-party logistics access

If you run a business that relies on shipping or logistics platforms, incidents like this are a reminder to review ar access controls for suppliers. Limit administrative permissions, rotate API keys regularly, and confirm that vendors have a clear vulnerability disclosure process. Supply chain security depends on more than just your own systems.

Kurt’s Key Takeaway

Shipping platforms sit at the intersection of physical goods and digital systems, making them attractive targets for cybercriminals. When basic protections like authentication and password encryption are missing, the consequences can extend to the real world, from stolen cargo to supply chain disruption. The incident also highlights how many companies still lack clear, public ways for researchers to report vulnerabilities responsibly.

Do you think companies quietly powering global supply chains are doing enough to protect themselves from cyber threats? Let us know by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE News APP

Sign up to receive my FREE CyberGuy report Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM fact sheet

Copyright 2026 CyberGuy.com. All rights reserved.