At a Glance
- UStrive exposed personal data of hundreds of thousands of users, including children, through a vulnerable GraphQL endpoint.
- The breach involved 238,000 records, with some containing gender and date of birth.
- The nonprofit has more than 1.1 million students on its platform.
- Why it matters: The data leak could allow anyone logged in to view private information of other users.
UStrive, a nonprofit that offers online mentorship to high-school and college students, has announced that a security flaw on its platform exposed personal data of its users, including children.
Discovery of the Breach
A user who requested anonymity alerted the brand to the vulnerability last week. By inspecting network traffic while signed in and navigating the site-such as viewing user profiles-the user could see streams of other users’ personal information in browser tools. The brand confirmed the exposure after creating a new account and notified executives by email on Thursday.
What Was Exposed
The exposed data included full names, email addresses, phone numbers, and other non-public and user-provided information. The data was accessible to any other logged-in user. Some records contained additional details such as gender and date of birth.
- Full names
- Email addresses
- Phone numbers
- Non-public user data (e.g., gender, date of birth)
At the time of discovery, the user who alerted the brand estimated that 238,000 user records were affected.
Technical Root Cause
UStrive was relying on a vulnerable Amazon-hosted GraphQL endpoint, a type of query database interface. The endpoint allowed access to large amounts of user data stored on UStrive’s servers. Because the endpoint was not properly secured, any authenticated user could retrieve personal information from other users.
Company Response
UStrive’s chief technology officer, Dwamian Mcleish, emailed the brand late on Thursday, stating that the exposure had been remediated. The brand followed up with additional questions:
- Will the company notify users about the lapse?
- Does the company have the ability to check for improper or malicious access?
- Has the platform undergone a security audit, and if so, by whom?
UStrive’s legal counsel, John D. McIntyre of McIntyre Stein, wrote that the organization is currently in litigation with one of its former software engineers and is therefore somewhat limited in its ability to respond.
Legal Context
McIntyre sent a letter to the brand stating that UStrive’s ability to respond is constrained by ongoing litigation. The brand asked McIntyre to notify it if UStrive planned to fix the data exposure and, if so, by when. McIntyre did not respond to the brand’s inquiry.
Current Status
UStrive has not yet announced whether it will inform users about the security lapse. The founder, Michael J. Carter, did not comment on the situation.
Timeline of Events
| Date | Event |
|---|---|
| Last week | Anonymous user alerts brand to vulnerability |
| Thursday | Brand confirms exposure, emails executives |
| Late Thursday | CTO confirms remediation |
| Thursday | Brand sends follow-up questions |
Key Takeaways
- The breach exposed sensitive personal data of 238,000 users, including children.
- The flaw stemmed from a vulnerable Amazon-hosted GraphQL endpoint.
- UStrive has more than 1.1 million students on its platform, raising the potential impact.
- The company has remediated the vulnerability but has not yet confirmed whether it will notify users.
- Legal constraints may limit the company’s response capabilities.
UStrive’s situation highlights the importance of securing GraphQL endpoints and the potential risks when user data is accessible to other authenticated users.
