Cyber Incident Victim: Bluspark Global

Eaton Zveare, a security researcher, first identified vulnerabilities in Bluspark Global’s systems in October 2025 while examining the website of a Bluspark customer. He noticed that the customer’s contact form sent messages through Bluspark’s servers via an API, and by inspecting the web page source code he saw that the API’s auto‑generated documentation was publicly accessible. The documentation page described a feature that allowed anyone to test the API by submitting commands to retrieve data as if they were a logged‑in user, despite the page claiming that authentication was required. Zveare entered the API’s web address into his browser and found that the API returned sensitive information without demanding any credentials. Using the listed API commands he was able to retrieve user account records for employees and customers, including usernames and passwords that were stored in plaintext and not encrypted. The exposed data included an account associated with the platform’s administrator, which would have allowed an attacker to log in with full privileges. Zveare observed that the API also listed a command to create a new user with administrator access, which he exercised to gain unrestricted entry to Bluspark’s Bluvoyix supply chain platform. Once logged in with the newly created admin‑level account, he could view customer shipment records dating back to 2007, and each API request was accompanied by a user‑specific token that was not actually required to complete the command, confirming the lack of authentication.

After discovering the flaws, Zveare attempted to notify Bluspark through the Maritime Hacking Village, a nonprofit that assists researchers in contacting maritime industry firms. He submitted a detailed vulnerability report to the organization in October 2025. Over the following weeks he sent multiple emails, left voicemails, and sent LinkedIn messages to Bluspark, but received no response, and the vulnerabilities remained exploitable by anyone on the internet. Frustrated by the silence, Zveare reached out to TechCrunch in an effort to have the issue publicized. TechCrunch emailed Bluspark’s CEO Ken O’Brien and the company’s senior leadership, alerting them to the security lapse, but those messages went unanswered. TechCrunch also contacted a Bluspark customer—a U.S. publicly traded retail company—to warn them of the upstream exposure, and again received no reply. On the third attempt to contact the CEO, TechCrunch included a partial copy of O’Brien’s password in the email to demonstrate the severity of the plaintext password issue. A couple of hours later, TechCrunch received a reply not from Bluspark directly but from a law firm representing the company.

The law firm conveyed that Bluspark had addressed most of the flaws after being made aware of them through Zveare’s report, and that the firm was in the process of retaining a third‑party company to conduct an independent security assessment. Ming Lee, an attorney for Bluspark, told TechCrunch that the company was confident in the steps taken to mitigate any potential risk arising from the researcher’s findings, but declined to specify which vulnerabilities had been fixed, how they were remedied, or which third‑party assessor had been engaged. Lee also refused to comment on Bluspark’s specific security practices or to provide any evidence supporting the claim that there was no indication of customer impact or malicious activity attributable to the issues identified by Zveare. When asked whether Bluspark had determined if any customer shipments had been manipulated by someone exploiting the bugs, Lee reiterated that there was no sign of such impact and that the company would not disclose the basis for that conclusion.

In response to the disclosure, Bluspark confirmed that it had remediated five specific flaws in its platform. These included the elimination of plaintext password storage for employees and customers, the closure of the unauthenticated API endpoint that had allowed data retrieval without credentials, and the removal of the ability to create new administrator accounts via the API without authentication. The company also stated that it had implemented changes to ensure that API requests now required valid authentication tokens that could not be bypassed. Bluspark indicated that it was working with an external firm to validate the fixes and to assess any residual risk, though it did not name the firm or share the assessment’s timeline. Additionally, Lee mentioned that Bluspark was in discussions to establish a formal disclosure program that would permit outside security researchers to report bugs and vulnerabilities directly to the company, but noted that those discussions were still ongoing and no program had been launched at the time of the article. Throughout the interaction, Bluspark’s CEO Ken O’Brien did not provide any comment to TechCrunch or to the public regarding the incident, the remediation efforts, or the planned disclosure program. The law firm’s statements represented the only official communication from Bluspark after the researcher’s initial outreach. The article concluded with a note that TechCrunch could be contacted securely via Signal using the username zackwhittaker.1337, but no further details about the incident’s aftermath, any ongoing monitoring, or potential legal actions were disclosed in the source material.

The narrative presented here relies exclusively on the information contained in the provided article, describing the chronological sequence of Zveare’s discovery, his notification attempts, the company’s eventual response through legal counsel, the specific flaws that were addressed, and the statements made regarding impact assessments and future disclosure intentions, without adding speculation, opinion, or any facts not present in the source.