Online mentoring platform UStrive, a nonprofit previously known as Strive for College, recently addressed a significant security lapse that exposed the personal information of its users, including minors. The breach, which allowed any logged-in user to access sensitive data such as full names, email addresses, and phone numbers, has reportedly been fixed, but the organization has not committed to notifying affected individuals.
Details of the Data Exposure
The vulnerability was first brought to TechCrunch's attention by an anonymous source last week. This individual discovered that by simply navigating the UStrive site while logged in—for instance, by viewing user profiles—they could observe streams of personal data through their browser's developer tools.
The core of the problem lay with a vulnerable Amazon-hosted GraphQL endpoint, a type of database query interface, which granted unauthorized access to vast amounts of user data stored on UStrive's servers. Some user records contained more extensive information, including students' gender and date of birth.
At the time of discovery, the anonymous source estimated at least 238,000 user records were exposed. This figure stands in contrast to UStrive's home page claim of having over "1.1 million students opted in for a UStrive mentor."
TechCrunch's Investigation and UStrive's Response
TechCrunch independently verified the data exposure by creating a new user account on the platform. Following this confirmation, the publication promptly notified UStrive executives via email.
Later the same day, John D. McIntyre, an attorney representing UStrive from the Virginia law firm McIntyre Stein, informed TechCrunch that UStrive was "currently in litigation with one of its former software engineers." He stated that this ongoing legal battle "somewhat limited" the company's ability to respond fully. TechCrunch pressed McIntyre on whether UStrive planned to fix the data exposure and, if so, by when, but received no further reply.
However, UStrive's Chief Technology Officer, Dwamian Mcleish, did respond to TechCrunch's initial outreach late Thursday, confirming that the exposure had been "remediated."
Unanswered Questions Remain
Despite the CTO's assurance of a fix, UStrive has remained silent on several critical questions posed by TechCrunch. These include whether the company intends to notify its users about the security lapse, if it has the capability to determine whether any improper or malicious access to user data occurred, and whether the platform has undergone any security audits, and by whom. UStrive founder Michael J. Carter also declined to comment for the article.
