UStrive安全漏洞暴露用戶個人資料，包括兒童資料

Topics

Latest

AI

Amazon

Apps

Biotech & Health

Climate

Cloud Computing

Commerce

Crypto

Enterprise

EVs

Fintech

Fundraising

Gadgets

Gaming

Google

Government & Policy

Hardware

Instagram

Layoffs

Media & Entertainment

Meta

Microsoft

Privacy

Robotics

Security

Social

Space

Startups

TikTok

Transportation

Venture

More from TechCrunch

Staff

Events

Startup Battlefield

StrictlyVC

Newsletters

Podcasts

Videos

Partner Content

TechCrunch Brand Studio

Crunchboard

Contact Us

UStrive security lapse exposed personal data of its users, including children

Online mentoring site UStrive has resolved a security lapse that exposed the personal information of its users, including children.

The exposed data included the full names, email addresses, phone numbers, and other non-public and user-provided information of UStrive users, which was accessible to any other logged-in user.

The nonprofit, previously known as Strive for College, provides online mentorship to high school and college students through its platform. The organization would not say whether it plans to inform users about the security incident.

Last week, a person who asked not to be named alerted TechCrunch to the security flaw on UStrive’s mentoring platform. By examining the network traffic while signed in and navigating the site — such as viewing user profiles — anyone could see streams of users’ personal information in their browser tools.

The person said that UStrive was relying on a vulnerable Amazon-hosted GraphQL endpoint — a type of query database interface — that allowed access to reams of user data stored on UStrive’s servers. Some user records contained more data than others, including information provided by the student, such as their gender and date of birth. The person said that there were at least 238,000 user records at the time of discovery. UStrive meanwhile states on its home page that more than “1.1 million students have opted in for a UStrive mentor.”

TechCrunch confirmed the data exposure after creating a new user account on UStrive, and notified the company’s executives by email on Thursday.

John D. McIntyre, an attorney with Virginia law firm McIntyre Stein, which is representing UStrive, said in a letter provided to TechCrunch later on Thursday that UStrive is “currently in litigation with one of its former software engineers,” and as such the company is “somewhat limited in its ability to respond.”

TechCrunch told McIntyre that the company at that time still had a security lapse exposing the private and personal information of children, and asked McIntyre to notify TechCrunch if UStrive planned to fix the data exposure, and if so, by when.

McIntyre did not respond to our inquiry.

In response to TechCrunch’s initial outreach, UStrive chief technology officer Dwamian Mcleish told TechCrunch by email late on Thursday that the exposure had been “remediated.”

TechCrunch sent Mcleish follow-up emails with more questions about the incident, including: whether the company plans to notify its users about the security lapse, whether the company has the ability to check if there was any improper or malicious access to users’ data, and whether the company’s platform had undergone a security audit and, if so, by whom.

UStrive founder Michael J. Carter did not comment for this article.