Online mentoring site UStrive has resolved a security lapse that exposed the personal information of its users, including children.
The exposed data included the full names, email addresses, phone numbers, and other non-public and user-provided information of UStrive users, which was accessible to any other logged-in user.
The nonprofit, previously known as Strive for College, provides online mentorship to high school and college students through its platform. The organization would not say whether it plans to inform users about the security incident.
Last week, a person who asked not to be named alerted TechCrunch to the security flaw on UStrive’s mentoring platform. By examining the network traffic while signed in and navigating the site — such as viewing user profiles — anyone could see streams of users’ personal information in their browser tools.
The person said that UStrive was relying on a vulnerable Amazon-hosted GraphQL endpoint — a type of query database interface — that allowed access to reams of user data stored on UStrive’s servers. Some user records contained more data than others, including information provided by the student, such as their gender and date of birth. The person said that there were at least 238,000 user records at the time of discovery. UStrive meanwhile states on its home page that more than “1.1 million students have opted in for a UStrive mentor.”
TechCrunch confirmed the data exposure after creating a new user account on UStrive, and notified the company’s executives by email on Thursday.
John D. McIntyre, an attorney with Virginia law firm McIntyre Stein, which is representing UStrive, said in a letter provided to TechCrunch later on Thursday that UStrive is “currently in litigation with one of its former software engineers,” and as such the company is “somewhat limited in its abi …