UStrive Data Leak Exposes Sensitive Information of 238,000 Users, Including Minors
A security researcher discovered a critical flaw in UStrive, a U.S.-based online mentoring platform, that exposed the personal data of approximately 238,000 users. The vulnerability, found in the company’s Amazon-hosted GraphQL API, allowed unauthorized access to sensitive information, including full names, email addresses, phone numbers, and other user-provided details. Due to the nature of the service, many affected users were minors.
The researcher, who chose to remain anonymous, identified the issue while analyzing network traffic in their browser tools and reported it to TechCrunch. After contacting UStrive, the company confirmed the leak had been "remedied" but provided no further details on how long the data was exposed, whether malicious actors accessed it, or if affected users would be notified.
UStrive’s legal representative cited ongoing litigation with a former software engineer as a limiting factor in their response. The incident highlights the risks of database misconfigurations in cloud environments, which remain a leading cause of data breaches. Such leaks can result in financial losses, reputational damage, and legal consequences for affected organizations.
UStrive cybersecurity rating report: https://www.rankiteo.com/company/ustrive
"id": "UST1769009192",
"linkid": "ustrive",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '238,000',
'industry': 'Education/Technology',
'location': 'U.S.',
'name': 'UStrive',
'type': 'Online Mentoring Platform'}],
'attack_vector': 'API Misconfiguration',
'data_breach': {'number_of_records_exposed': '238,000',
'personally_identifiable_information': 'Full names, email '
'addresses, phone '
'numbers',
'sensitivity_of_data': "High (includes minors' data)",
'type_of_data_compromised': 'Personal Identifiable '
'Information (PII)'},
'description': 'A security researcher discovered a critical flaw in UStrive, '
'a U.S.-based online mentoring platform, that exposed the '
'personal data of approximately 238,000 users. The '
'vulnerability, found in the company’s Amazon-hosted GraphQL '
'API, allowed unauthorized access to sensitive information, '
'including full names, email addresses, phone numbers, and '
'other user-provided details. Many affected users were minors.',
'impact': {'brand_reputation_impact': 'Reputational damage',
'data_compromised': 'Full names, email addresses, phone numbers, '
'and other user-provided details',
'identity_theft_risk': 'High',
'legal_liabilities': 'Possible legal consequences',
'systems_affected': 'Amazon-hosted GraphQL API'},
'lessons_learned': 'Highlights the risks of database misconfigurations in '
'cloud environments, which remain a leading cause of data '
'breaches.',
'post_incident_analysis': {'root_causes': 'GraphQL API misconfiguration in '
'cloud environment'},
'references': [{'source': 'TechCrunch'}],
'regulatory_compliance': {'legal_actions': 'Ongoing litigation with a former '
'software engineer'},
'response': {'containment_measures': 'Vulnerability remedied'},
'title': 'UStrive Data Leak Exposes Sensitive Information of 238,000 Users, '
'Including Minors',
'type': 'Data Leak',
'vulnerability_exploited': 'GraphQL API Misconfiguration'}