Home > Security > Security News

UStrive Mentorship Platform Security Breach Exposes Sensitive User Data, Including Children

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Blurred Profiles - Workstation - Computer Labs
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Vulnerability Identified: A misconfigured GraphQL endpoint on the UStrive mentorship platform allowed authenticated users to access the private data of other users.
  • Scope of Exposure: This potentially affected at least 238,000 records, including names, email addresses, phone numbers, and demographic data.
  • Remediation Status: UStrive has patched the vulnerability following disclosure, though it has not confirmed whether it will notify affected individuals.

UStrive, a nonprofit online mentorship platform that connects high school and college students with mentors, suffered a security lapse stemming from an improperly secured Amazon-hosted GraphQL endpoint. This architectural flaw permitted any logged-in user to query the backend database and retrieve non-public information belonging to other users. 

Technical Analysis of the User Data Vulnerability

The flaw was discovered through network traffic analysis. By inspecting browser traffic, an unauthorized logged-in user could execute queries to harvest structured data streams from the organization's servers. 

At the time of data breach discovery, the accessible database contained approximately 238,000 user records, according to TechCrunch. The exposed dataset included personally identifiable information (PII) such as:

Company Response and Remediation

Following the responsible disclosure of the vulnerability, UStrive’s Chief Technology Officer, Dwamian Mcleish, stated late Thursday that the issue has been "remediated." However, the organization's legal representation indicated limitations in their response due to ongoing litigation with a former software engineer. 

Despite the fix, UStrive has not committed to notifying the affected user base, nor has it clarified if forensic analysis was conducted to detect potential malicious exploitation prior to the patch. This lack of transparency regarding breach notification protocols highlights a critical gap in incident response management.

Add a Comment
Related
Malicious Extension - Man
Evelyn Stealer Malware Targets Software Developers via Visual Studio Code Extensions
Pass'Sport Data Breach Exposing 6.4 Million Accounts Originated from the French Ministry of Sports
Prompt Injection - Vulnerability - Laptop
Google Gemini Prompt Injection Flaw Exfiltrated Private Data via Calendar Invites
Iran Flag
Cyber Warfare in Iran Amid Public Unrest, Government Bans, and Geo-Political Tensions
Badr Satellite Breach Disrupts Iranian State TV, Protest Footage Broadcast
Hacker - Laptops - Codes
Top Ransomware Attack Vectors and Prevention: Remote Access Compromise, Phishing, Social Engineering, and Rapid Flaw Exploitation
Most Popular
Malicious Extension - Man
Evelyn Stealer Malware Targets Software Developers via Visual Studio Code Extensions
Pass'Sport Data Breach Exposing 6.4 Million Accounts Originated from the French Ministry of Sports
Prompt Injection - Vulnerability - Laptop
Google Gemini Prompt Injection Flaw Exfiltrated Private Data via Calendar Invites
Iran Flag
Cyber Warfare in Iran Amid Public Unrest, Government Bans, and Geo-Political Tensions
Badr Satellite Breach Disrupts Iranian State TV, Protest Footage Broadcast
Surfshark Launches Post-Quantum Protection on WireGuard
Surfshark Launches Post-Quantum Protection on WireGuard
Evelyn Stealer Malware Targets Software Developers via Visual Studio Code Extensions
Pass'Sport Data Breach Exposing 6.4 Million Accounts Originated from the French Ministry of Sports
Google Gemini Prompt Injection Flaw Exfiltrated Private Data via Calendar Invites
Cyber Warfare in Iran Amid Public Unrest, Government Bans, and Geo-Political Tensions
Badr Satellite Breach Disrupts Iranian State TV, Protest Footage Broadcast
Surfshark Launches Post-Quantum Protection on WireGuard

Most Popular
Malicious Extension - Man
Evelyn Stealer Malware Targets Software Developers via Visual Studio Code Extensions
Pass'Sport Data Breach Exposing 6.4 Million Accounts Originated from the French Ministry of Sports
Prompt Injection - Vulnerability - Laptop
Google Gemini Prompt Injection Flaw Exfiltrated Private Data via Calendar Invites
Iran Flag
Cyber Warfare in Iran Amid Public Unrest, Government Bans, and Geo-Political Tensions
Badr Satellite Breach Disrupts Iranian State TV, Protest Footage Broadcast
Surfshark Launches Post-Quantum Protection on WireGuard
Surfshark Launches Post-Quantum Protection on WireGuard
Evelyn Stealer Malware Targets Software Developers via Visual Studio Code Extensions
Pass'Sport Data Breach Exposing 6.4 Million Accounts Originated from the French Ministry of Sports
Google Gemini Prompt Injection Flaw Exfiltrated Private Data via Calendar Invites
Cyber Warfare in Iran Amid Public Unrest, Government Bans, and Geo-Political Tensions
Badr Satellite Breach Disrupts Iranian State TV, Protest Footage Broadcast
Surfshark Launches Post-Quantum Protection on WireGuard

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: