\n<\/p>\n
Online mentoring site UStrive has resolved a security lapse that exposed the personal information of its users, including children.\u00a0<\/p>\n
The exposed data included the full names, email addresses, phone numbers, and other non-public and user-provided information of UStrive users, which was accessible to any other logged-in user.<\/p>\n
The nonprofit, previously known as Strive for College, provides online mentorship to high school and college students through its platform. The organization would not say whether it plans to inform users about the security incident.\u00a0<\/p>\n
Last week, a person who asked not to be named alerted TechCrunch to the security flaw on UStrive\u2019s mentoring platform. By examining the network traffic while signed in and navigating the site \u2014 such as viewing user profiles \u2014 anyone could see streams of users\u2019 personal information in their browser tools.<\/p>\n
The person said that UStrive was relying on a vulnerable Amazon-hosted GraphQL endpoint \u2014 a type of query database interface \u2014 that allowed access to reams of user data stored on UStrive\u2019s servers. Some user records contained more data than others, including information provided by the student, such as their gender and date of birth.\u00a0The person said that there were at least 238,000 user records at the time of discovery. UStrive meanwhile states on its home page<\/a> that more than \u201c1.1 million students have opted in for a UStrive mentor.\u201d<\/p>\n TechCrunch confirmed the data exposure after creating a new user account on UStrive, and notified the company\u2019s executives by email on Thursday.<\/p>\n John D. McIntyre, an attorney with Virginia law firm McIntyre Stein, which is representing UStrive, said in a letter provided to TechCrunch later on Thursday that UStrive is \u201ccurrently in litigation with one of its former software engineers,\u201d and as such the company is \u201csomewhat limited in its ability to respond.\u201d\u00a0<\/p>\n TechCrunch told McIntyre that the company at that time still had a security lapse exposing the private and personal information of children, and asked McIntyre to notify TechCrunch if UStrive planned to fix the data exposure, and if so, by when.<\/p>\n McIntyre did not respond to our inquiry.\u00a0<\/p>\n In response to TechCrunch\u2019s initial outreach, UStrive chief technology officer Dwamian Mcleish told TechCrunch by email late on Thursday that the exposure had been \u201cremediated.\u201d\u00a0<\/p>\n TechCrunch sent Mcleish follow-up emails with more questions about the incident, including: whether the company plans to notify its users about the security lapse, whether the company has the ability to check if there was any improper or malicious access to users\u2019 data, and whether the company\u2019s platform had undergone a security audit and, if so, by whom.<\/p>\n UStrive founder Michael J. Carter did not comment for this article.\u00a0<\/p>\n<\/div>\n