May 4, 2026
Classified? More like unguarded
U.S. military data left exposed at an a16z startup for 150 days
Andreessen Horowitz-backed defense startup is getting roasted after military records sat open for months
TLDR: A defense training startup backed by Andreessen Horowitz reportedly left military-related records and documents exposed for 150 days before fixing the problem. Commenters are furious about the response, roasting the CEO and even derailing into a side fight over confusing tech-speak in the headline.
The internet did what it always does when a defense startup fumbles sensitive data: it grabbed popcorn and started yelling. The big shocker here is brutally simple: Schemata, an AI military training company with U.S. defense contracts, allegedly left parts of its system so open that a basic user account could see records from across the platform. According to the report, that included names, emails, military base assignments, training info, and links to confidential training documents. Even worse? The issue was reportedly disclosed privately and only fixed 150 days later.
That delay is where the comment section really caught fire. One of the harshest reactions called out “Schemata and that delinquent CEO” and demanded accountability, while another zeroed in on the CEO’s reported reply asking whether the researchers wanted money: “Well that’s pretty damning.” In other words, the crowd wasn’t just upset about the exposure — they were furious about the vibe.
And because no online pile-on is complete without at least one side quest, a mini-drama broke out over the headline shorthand “a16z,” the nickname for venture capital firm Andreessen Horowitz. One commenter basically begged the tech world to stop speaking in code, while another jumped in to translate for the rest of us. So yes, the community managed to turn a military data scare into both a corporate accountability brawl and a jargon roast. Dark, messy, very internet.
Key Points
- •The article says Schemata’s API exposed cross-tenant data to a low-privilege account because of missing authorization checks.
- •According to the report, exposed information included user records, organization data, course metadata, and direct links to sensitive military training documents.
- •The article states that the exposed user data included names, emails, enrollment information, and military base assignments for U.S. service members.
- •Strix says it found the issue by mapping the application’s API surface from normal browser traffic and replaying high-value endpoints with an ordinary session.
- •The report says Schemata acknowledged the exposed endpoints on May 1, 2026, about 150 days after initial disclosure, and patched the issue before publication.