Online mentoring site UStrive has fixed a security lapse that exposed the personal information of its users, including children. The exposed data included full names, email addresses, phone numbers, and other non-public details provided by users. This information was accessible to any other person logged into the platform.
The nonprofit, formerly known as Strive for College, provides online mentorship to high school and college students. The organization would not say whether it plans to inform users about this security incident.
Last week, an anonymous source alerted TechCrunch to the security flaw on UStrive’s platform. By examining network traffic while signed in and viewing user profiles, anyone could see streams of personal information using browser tools. The source explained that UStrive was using a vulnerable Amazon-hosted GraphQL endpoint, a type of database interface, which allowed access to large amounts of user data stored on its servers.
Some user records contained more information than others, including student-provided details like gender and date of birth. The source stated there were at least 238,000 user records exposed at the time of discovery. UStrive’s home page states that more than 1.1 million students have opted in for a mentor.
TechCrunch confirmed the data exposure by creating a new user account and notified the company’s executives by email. John D. McIntyre, an attorney representing UStrive, responded that the company is currently in litigation with a former software engineer and is therefore limited in its ability to respond.
TechCrunch informed McIntyre that the security lapse exposing children’s private information was still active and asked if and when UStrive planned to fix it. McIntyre did not respond to that inquiry.
Later on Thursday, UStrive’s chief technology officer, Dwamian Mcleish, stated by email that the exposure had been remediated. TechCrunch sent follow-up questions asking if users would be notified, if the company could check for malicious access to the data, and if the platform had undergone a security audit. UStrive founder Michael J. Carter did not comment for this article.