How This Briefing Works
This report opens with key findings, then maps the gaps between what Bloomreach discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
1 detection across 1 site100% pre-consent activity
CRITICAL
Pre-Consent Activity
Bloomreach was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
GDPRePrivacy
Disclosure Gaps
Claims vs. Observed Behavior
1 gaps
pending
UNKNOWN
They Claim
“Awaiting scanner verification”
Observed Behavior
Runtime behavior not yet observed
Customer Impact
What This Means For You
Organizations deploying Bloomreach Engagement are granting the platform access to their complete customer behavioral and transactional history. The CDP ingests full historical data from commerce platforms and maintains real-time synchronization, meaning Bloomreach accumulates a comprehensive mirror of the customer database. The AI-driven personalization creates dependency risk — as Loomi AI optimizes campaign performance, switching costs increase because the institutional knowledge of what works is embedded in Bloomreach's models rather than the customer's own systems. Server-side cookie circumvention of browser privacy protections may create regulatory exposure in jurisdictions where browser consent signals are considered legally meaningful.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for Bloomreach
- →• Map all data flows between your commerce platform and Bloomreach — understand exactly what historical data was imported and what syncs in real-time • Audit Bloomreach cookie configuration to determine if third-party or first-party mode is active, and whether server-side cookie extensions are circumventing browser privacy protections • Request documentation of Loomi AI decision logic for your account to understand how personalization decisions are made and attributed • Review server-to-server advertising integrations to determine what customer data is being shared with ad platforms • Establish data portability plan — ensure you can export all customer profiles and behavioral data if switching vendors
Negotiation Leverage
- →Key leverage: Bloomreach's value increases with data volume, meaning they are incentivized to retain customers — use this during renewal negotiations. Request contractual guarantees on data portability including full behavioral data export in standard formats. Ask for transparency on Loomi AI decision-making: what data inputs drive personalization, how attribution is calculated, and whether Bloomreach uses aggregated customer data to improve models that benefit competitors. Key questions: (1) What happens to ingested customer data after contract termination — deletion timeline and verification? (2) Does Loomi AI use anonymized/aggregated data from your account to train models for other customers? (3) Can server-side cookie tracking be disabled without degrading core functionality? Protections to negotiate: data deletion SLA post-termination, restriction on cross-customer model training with your data, right to audit AI decision logic, contractual commitment to respect browser privacy signals.
Runtime Detections
Runtime Detections
6 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
Impact: CDP unifies behavioral data from website, email, SMS, mobile app, and advertising channels into a single customer profile. Commerce platform integrations download complete historical customer data and maintain real-time sync via webhooks.
BTI-C07Session Recording
Full session replay
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
Impact: Server-side cookie solutions are specifically designed to circumvent browser privacy protections (Safari ITP, Mozilla ETP), extending tracking persistence beyond browser-intended limits. Cross-channel automated responses may fire before channel-specific consent is validated.
BTI-C10Fingerprinting
Device identification
IOC Manifest
IOC Manifest
155 INDICATORS
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.bloomreach.com/wp-content/themes/hello-theme-child-master/js/scripts.js*
Tracking script
TRACK
*www.bloomreach.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/themes/hello-theme-child-master/assets/js/swiper-bundle.js*
Tracking script
TRACK
*www.bloomreach.com/cdn-cgi/scripts/*/cloudflare-static/email-decode.js*
Tracking script
TRACK
*www.bloomreach.com/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-dropdown/script.js*
Tracking script
TRACK
*www.bloomreach.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*www.bloomreach.com/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/cache/min/1/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/cache/min/1/sdk.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/cache/min/1/wp-content/themes/hello-theme-child-master/js/authors-carousel.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/cache/min/1/ajax/libs/bodymovin/5.12.2/lottie.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/cache/min/1/wp-content/themes/hello-theme-child-master/elementor/widgets/assets/js/bloomreach-buttons.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/themes/hello-elementor/assets/js/hello-frontend.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/themes/hello-theme-child-master/assets/js/jquery-ui.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/cache/min/1/embed/v4.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/cache/min/1/wp-content/themes/hello-theme-child-master/assets/js/common.js*
Tracking script
TRACK
*www.bloomreach.com/wp-includes/js/jquery/ui/core.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/elementor/assets/js/webpack.runtime.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/elementor-pro/assets/js/frontend.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/elementor/assets/js/frontend-modules.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/wp-rocket/assets/js/lazyload/17.8.3/lazyload.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/elementor/assets/js/frontend.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/elementor/assets/js/video.*.bundle.js*
Tracking script
TRACK
*www.bloomreach.com/wp-content/plugins/elementor/assets/js/text-editor.*.bundle.js*
Tracking script
TRACK
www.bloomreach.com/wp-content/cache/min/1/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-dropdown/script.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/cache/min/1/ajax/libs/bodymovin/5.12.2/lottie.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/themes/hello-theme-child-master/js/scripts.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/cache/min/1/wp-content/themes/hello-theme-child-master/js/authors-carousel.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/themes/hello-theme-child-master/assets/js/swiper-bundle.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/cache/min/1/sdk.js
Auto-extracted from scan
TRACK
www.bloomreach.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/cache/min/1/embed/v4.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/themes/hello-theme-child-master/assets/js/jquery-ui.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/cache/min/1/wp-content/themes/hello-theme-child-master/assets/js/common.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/themes/hello-elementor/assets/js/hello-frontend.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-includes/js/jquery/ui/core.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/elementor/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/cache/min/1/wp-content/themes/hello-theme-child-master/elementor/widgets/assets/js/bloomreach-buttons.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/wp-rocket/assets/js/lazyload/17.8.3/lazyload.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.03caa53373b56d3bab67.bundle.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/elementor/assets/js/text-editor.45609661e409413f1cef.bundle.min.js
Auto-extracted from scan
TRACK
www.bloomreach.com/wp-content/plugins/elementor/assets/js/video.86d44e46e43d0807e708.bundle.min.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Bloomreach integrates deeply with major commerce platforms: Shopify (enterprise partnership announced 2025, claiming 300%+ revenue increases), BigCommerce (full data import plus webhook sync), Salesforce Commerce Cloud (dedicated cartridge for near-real-time data exchange), and Magento 2. The platform maintains technology partnerships for advertising (Meta, Google Ads), analytics, and data enrichment. Server-to-server integrations enable Bloomreach Engagement clients to share conversion data with advertisers, bypassing client-side cookie limitations. The platform serves as a data hub — ingesting customer data from commerce platforms, processing it through Loomi AI, and distributing personalized content across email, SMS/MMS, mobile push, web, and advertising channels.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
155 detection signatures across scripts, domains, cookies, and network endpoints