Top online mentor site UStrive admits breach exposed data on children

News
By published

Error in UStrive website allowed anyone to view sensitive user data

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • Researcher found UStrive flaw exposing sensitive data of 238,000 users, including minors
  • Company claims leak was fixed but gave no details on duration or notifications
  • Database misconfigurations often cause leaks, leading to reputational, financial, and legal consequences

Popular US online mentoring company UStrive was leaking sensitive information on hundreds of thousands of its users, experts have revealed.

A security researcher who decided to remain anonymous reached out to TechCrunch, saying they discovered a flaw in UStrive’s website that allowed them to view personal information of other users.

Since UStrive was using Amazon-hosted GraphQL, which is a query language for APIs that lets clients request exactly the data they need, the researcher was able to see the information in their browser tools while examining network traffic.

Issue fixed

The researcher claims that they were able to access sensitive data on 238,000 users, including full names, email addresses, phone numbers, as well as other user-provided data. It is also worth mentioning that, due to the nature of the service, many of its users are minors.

TechCrunch reached out to UStrive directly and, after a little bit of back-and-forth, was informed that the leak was “remedied”. No other details were shared, so we don’t know for how long the information remained accessible, or if anyone accessed it before - especially malicious actors.

We also don’t know how UStrive fixed the problem, or if it will notify the affected individuals of the mishap.

A legal representative of the company told TechCrunch it is currently in litigation with one of its former software engineers, which makes it “somewhat limited in its ability to respond”.

Database misconfigurations remain one of the main causes of data leaks across the world. In a cloud environment, data security is a shared responsibility, meaning customers are obliged to use all available resources to make their data inaccessible to unauthorized third parties.

This is often not the case, resulting in major data spills. These can, in turn, lead to financial damage, ruined reputation, loss of business and customers and, in some cases, class-action lawsuits.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.