Online mentoring site UStrive has resolved a security flaw that exposed the personal information of users, including children.
The leaked data included UStrive users' names, email addresses, phone numbers, and other private and user-provided information, and was accessible to other logged-in users.
The nonprofit, formerly known as Strive for College, provides online instruction to high school and college students through its platform. The organization did not say whether it plans to notify users about the security incident.
Last week, someone who requested anonymity alerted TechCrunch to a security flaw in UStrive's mentoring platform. Anyone can see the stream of your personal information in their browser tools by inspecting your network traffic while signing in, navigating your site, including by viewing your user profile.
According to the person, UStrive relied on a vulnerable GraphQL endpoint (a type of query database interface) hosted by Amazon, which allowed access to large amounts of user data stored on UStrive's servers. Some user records contained more data than others, such as information provided by students, such as gender and date of birth. The person said there were at least 238,000 user records at the time of the discovery. Meanwhile, UStrive's home page states that “over 1.1 million students have opted in to UStrive Mentoring.”
TechCrunch acknowledged the data breach after creating a new user account on UStrive and notified company executives via email on Thursday.
In a letter provided to TechCrunch late Thursday, attorney John D. McIntyre of the Virginia law firm McIntyre Stein, which is representing UStrive, said UStrive is “currently engaged in litigation with one of its former software engineers,” which puts the company's “somewhat limited ability to respond.”
TechCrunch told McIntyre that the company still had security flaws at the time that exposed children's private and private information, and asked McIntyre to notify TechCrunch if UStrive plans to fix the data exposure and, if so, by when.
Mr. McIntyre did not respond to our inquiries.
In response to TechCrunch's initial outreach, Dwamian Mcleish, UStrive's chief technology officer, told TechCrunch in an email late Thursday that the exposure had been “remediated.”
TechCrunch sent MacLeish a follow-up email with further questions about the incident. These include whether the company plans to notify users about security lapses, whether it has the ability to determine whether there has been inappropriate or malicious access to users' data, and whether the company's platform has undergone security audits and, if so, by whom.
UStive founder Michael J. Carter did not comment for this article.