UStrive security lapse exposed personal data of its users, including children

UStrive, an online mentoring platform, has recently addressed a significant security vulnerability that compromised the personal information of its users, including minors. The breach exposed sensitive data such as full names, email addresses, and phone numbers, which were accessible to any authenticated user on the site. Originally established as Strive for College, UStrive aims to facilitate mentorship connections for high school and college students. However, the organization has remained silent on whether it intends to notify affected users about this security incident. A whistleblower alerted TechCrunch to the flaw, revealing that by simply logging in and browsing the platform, any user could access streams of personal information through their browser’s developer tools. The source of the vulnerability was linked to an insecure Amazon-hosted GraphQL endpoint, which allowed unauthorized access to vast amounts of user data stored on UStrive’s servers. At the time of the breach, there were approximately 238,000 user records at risk, with some entries containing detailed information such as gender and date of birth. Despite UStrive claiming on its homepage that over 1.1 million students have sought mentorship through their platform, the security lapse raised significant concerns. TechCrunch confirmed the data breach by creating a new account on UStrive and subsequently notifying the company's executives. An attorney representing UStrive, John D. McIntyre, mentioned in correspondence that the organization is currently embroiled in litigation with a former software engineer, which may limit their responses regarding the incident. In response to inquiries about the breach, UStrive's Chief Technology Officer, Dwamian Mcleish, stated that the security issue had been resolved. However, further questions about user notification, potential unauthorized access to data, and whether a security audit had been conducted went unanswered. Founder Michael J. Carter did not provide any comments regarding the situation.