"The exposed data included the full names, email addresses, phone numbers, and other non-public and user-provided information of UStrive users, which was accessible to any other logged-in user. The nonprofit, previously known as Strive for College, provides online mentorship to high school and college students through its platform. The organization would not say whether it plans to inform users about the security incident."
"The person said that UStrive was relying on a vulnerable Amazon-hosted GraphQL endpoint - a type of query database interface - that allowed access to reams of user data stored on UStrive's servers. Some user records contained more data than others, including information provided by the student, such as their gender and date of birth. The person said that there were at least 238,000 user records at the time of discovery."
UStrive resolved a security lapse that exposed the personal information of its users, including children. Exposed data included full names, email addresses, phone numbers, and other non-public, user-provided information accessible to any logged-in user. Anyone signed in could see streams of personal information via browser network tools when navigating the site and viewing user profiles. The platform relied on a vulnerable Amazon-hosted GraphQL endpoint that allowed access to large amounts of user data stored on UStrive's servers. Some records included additional details such as gender and date of birth. There were at least 238,000 user records at discovery, while UStrive states over 1.1 million students have opted in. The organization is in litigation with a former software engineer and says legal matters limit its ability to respond; the organization has not said whether it will notify users.
Read at TechCrunch
Unable to calculate read time
Collection
[
|
...
]