Online mentoring site UStrive has resolved a security lapse that exposed the personal information of its users, including children.
The exposed data included the full names, email addresses, phone numbers, and other non-public and user-provided information of UStrive users, which was accessible to any other logged-in user.
The nonprofit, previously known as Strive for College, provides online mentorship to high school and college students through its platform. The organization would not say whether it plans to inform users about the security incident.
Last week, a person who asked not to be named alerted TechCrunch to the security flaw on UStrive’s mentoring platform. By examining the network traffic while signed in and navigating the site — such as viewing user profiles — anyone could see streams of users’ personal information in their browser tools.
The person said that UStrive was relying on a vulnerable Amazon-hosted GraphQL endpoint — a type of query database interface — that allowed access to reams of user data stored on UStrive’s servers. Some user records contained more data than others, including information provided by the student, such as their gender and date of birth. The person said that there were at least 238,000 user records at the time of discovery. UStrive meanwhile states on its home page that more than “1.1 million students have opted in for a UStrive mentor.”
TechCrunch confirmed the data exposure after creating a new user account on UStrive, and notified the company’s executives by email on Thursday.
John D. McIntyre, an attorney with Virginia law firm McIntyre Stein, which is representing UStrive, said in a letter provided to TechCrunch later on Thursday that UStrive is “currently in litigation with one of its former software engineers,” and as such the company is “somewhat limited in its ability to respond.”
TechCrunch told McIntyre that the company at that time still had a security lapse exposing the private and personal information of children, and asked McIntyre to notify TechCrunch if UStrive planned to fix the data exposure, and if so, by when.
McIntyre did not respond to our inquiry.
In response to TechCrunch’s initial outreach, UStrive chief technology officer Dwamian Mcleish told TechCrunch by email late on Thursday that the exposure had been “remediated.”
TechCrunch sent Mcleish follow-up emails with more questions about the incident, including: whether the company plans to notify its users about the security lapse, whether the company has the ability to check if there was any improper or malicious access to users’ data, and whether the company’s platform had undergone a security audit and, if so, by whom.
UStrive founder Michael J. Carter did not comment for this article.
