Strix’s AI hacking agent found zero tenant isolation on Schemata’s API, exposing U.S. service member records and military training materials for 150 days after ignored disclosure attempts.
Key Takeaways
Any authenticated user could enumerate the full user base, including names, emails, and military base assignments, via unauthenticated organization-scoped API endpoints.
Exposed data included AWS S3 links to confidential training manuals covering explosive ordnance handling, naval maintenance, and Air Force operations.
Write-enabled routes lacked authorization checks, meaning a low-privilege account could modify or delete courses platform-wide.
Schemata’s CEO initially responded with “I assume you want to get paid for it” and went silent for months; remediation only began after Strix announced publication.
DFARS 252.204-7012 and CMMC requirements mandate breach reporting for CUI; Strix flags this exposure likely constitutes a reportable incident under federal contractor rules.
Hacker News Comment Review
Discussion was minimal and focused on the a16z acronym being opaque to non-VC-native readers, with one commenter noting the article itself never expands it.
One commenter called for accountability for Schemata and the CEO directly, but no technical analysis or deeper regulatory discussion emerged in the thread.
