A security lapse at UStrive exposed personal data belonging to its users, including children.

Continue reading
UStrive, an online mentoring platform for high school and college students, recently had a serious security lapse that exposed the personal information of its users — including minors. The nonprofit said the issue has been fixed, but it hasn’t committed to notifying affected users or shared many details about what happened.
An anonymous security researcher discovered a vulnerability in UStrive’s platform that made user data visible to any logged-in account holder. The flaw stemmed from a misconfiguration Amazon-hosted GraphQL endpoint that allowed authenticated users to run queries and access others' private information.
GraphQL is a query language used by many modern web services to request just the data they need. In this case, the endpoint lacked proper access controls, so browsing user profiles or inspecting network traffic allowed viewing structured personal data from the backend database via browser developer tools.
At the time the vulnerability was found, at least 238,000 user records were accessible. Exposed information included:
Because UStrive’s service is used by high school and college students, many of the exposed records involved minors.
It was confirmed the exposure by creating a new UStrive account and reviewing the site. The team notified UStrive executives by email about the security issue on Thursday.
A legal representative for UStrive, attorney John D. McIntyre of McIntyre Stein, said the organization is currently in litigation with a former software engineer, limiting how fully it can respond to external inquiries. McIntyre did not answer follow-up questions about notification plans or timelines.
UStrive’s Chief Technology Officer Dwamian Mcleish told TechCrunch by email that the exposure has been “remediated.” The company has not publicly detailed what steps were taken to fix the flaw or whether it will alert affected users.
However, also asked whether UStrive has the capability to determine if any data was improperly accessed or whether it has conducted a security audit of the platform, but did not receive responses to those questions by the time of publication.
Even though the flaw is now fixed, several key points remain unknown:
These gaps underscore broader concerns about how data breaches and security lapses are handled when they involve minors and nonprofit platforms.
UStrive (formerly known as Strive for College) connects students with mentors to help with college planning and application processes. The organization’s own site states that more than 1.1 million students are connected through its platform, suggesting the potential scale of impact if the exposed records represent a fraction of its total user base.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been