UStrive Data Breach Exposed Children’s Personal Information
▼ Summary
– UStrive, a nonprofit online mentoring platform, fixed a security flaw that exposed the personal data of its users, including children.
– The exposed information included full names, email addresses, phone numbers, and other private details provided by users, accessible to any logged-in individual.
– The vulnerability was in a GraphQL endpoint, allowing access to at least 238,000 user records, some containing sensitive data like gender and date of birth.
– UStrive’s legal representative cited ongoing litigation with a former engineer as limiting their response, and the company did not state if it would notify affected users.
– The company’s CTO confirmed the issue was remediated after TechCrunch’s report but did not answer follow-up questions about user notification or security audits.
A significant data breach at the online mentoring platform UStrive compromised the sensitive personal information of its users, including minors. The security lapse, which has since been addressed, allowed any logged-in user to access private data belonging to others on the site. This exposed information included full names, email addresses, phone numbers, and other user-provided details, posing a serious privacy risk to the students who rely on the service.
The nonprofit organization, which connects high school and college students with mentors, experienced a vulnerability in its system architecture. According to a source familiar with the incident, the platform was using a vulnerable Amazon-hosted GraphQL endpoint. This type of database interface was improperly configured, permitting unauthorized access to vast amounts of stored user data. By simply using the browser’s developer tools while navigating the site, any user could view streams of personal information from other profiles. Some records contained extensive details like gender and date of birth. The source indicated the exposure involved at least 238,000 user records, a figure that contrasts with UStrive’s public claim of serving over 1.1 million students.
The company’s leadership provided limited commentary on the event. After being notified, UStrive’s chief technology officer, Dwamian Mcleish, stated the issue had been “remediated.” However, the organization declined to answer critical follow-up questions. It would not confirm if it plans to notify the affected users about the breach, whether it can determine if any malicious access occurred, or if the platform has undergone an independent security audit. Legal representation for UStrive cited ongoing litigation with a former software engineer as a factor limiting their response, but did not address the immediate security concerns raised while the data was still exposed.
The incident underscores the heightened responsibility organizations have when handling children’s data. The exposure of minors’ personal information carries particular legal and ethical weight, often triggering specific regulatory notification requirements. For a service built on trust between mentors and students, such a security failure could significantly damage user confidence. The lack of clear communication from UStrive regarding user notification and audit practices leaves important questions about accountability and future risk mitigation unanswered.
(Source: TechCrunch)
