HackerOne Data Breach: Employee Data Stolen Via Navia IT Systems Hack
Key Takeaways HackerOne employees’ personal and health information was compromised in a data breach impacting Navia Benefit Solutions. The breach originated from a Broken Object Level...
Key Takeaways
- HackerOne employees’ personal and health information was compromised in a data breach impacting Navia Benefit Solutions.
- The breach originated from a Broken Object Level Authorization (BOLA) vulnerability in Navia’s API.
- Sensitive data for 287 HackerOne employees and 2.7 million individuals nationwide was exposed.
- HackerOne is investigating Navia’s security practices and advising affected employees to take protective measures.
HackerOne, a prominent bug bounty platform, has confirmed a significant data breach affecting 287 of its employees. The incident originated from a cyberattack targeting Navia Benefit Solutions, the U.S. administrator for HackerOne’s employee benefits.
Table Of Content
The breach was traced to a Broken Object Level Authorization (BOLA) vulnerability within Navia’s API. This flaw reportedly exposed sensitive personal and health information belonging to approximately 2.7 million individuals across the country.
An unidentified threat actor exploited this BOLA vulnerability in an Application Programming Interface (API) endpoint operated by Navia Benefit Solutions. This exploitation granted unauthorized, read-only access to Navia’s internal systems. Crucially, the attacker did not modify data or deploy ransomware, which allowed the intrusion to persist undetected for several weeks.
Compromised HackerOne Employee Data
The unauthorized access occurred between December 22, 2025, and January 15, 2026. Navia officially detected the suspicious activity on January 23, 2026, subsequently initiating an internal forensic investigation and engaging federal law enforcement.
Despite Navia discovering the breach in late January, HackerOne reported a substantial delay in receiving formal notification. Navia reportedly dispatched notification letters on February 20, 2026, but HackerOne did not receive official notice until March.
Following verification of the incident, HackerOne met with Navia on March 13, 2026, to determine the full scope of the compromised data. The bug bounty platform has openly criticized the extended timeline for disclosure and is demanding a comprehensive explanation from the benefits administrator.
In response, HackerOne has initiated its own internal investigation to assess Navia’s privacy and security protocols. The company has indicated it may seek alternative benefits providers if Navia’s standards are deemed insufficient.
While financial and claims details were not exfiltrated, the exposed dataset contains sufficient information to facilitate sophisticated social engineering, identity theft, and phishing campaigns. The breach compromised data for 287 HackerOne employees, contributing to the broader total of 2.7 million victims across Navia’s 10,000 corporate clients.
HackerOne is operating under the assumption that the compromised information could still be exploited by malicious actors. Employees have been strongly advised to maintain heightened vigilance against targeted phishing attempts that might leverage the stolen data to impersonate employers or government agencies.
What You Should Do
- Monitor financial accounts and credit reports for any unusual or unauthorized activity.
- Update passwords and security questions for all sensitive online accounts, prioritizing unique, strong credentials.
- Be extremely cautious of unsolicited communications (emails, calls, texts) that request personal information, especially those claiming to be from employers or government agencies.
- Enroll in and utilize any complimentary identity protection services offered by affected organizations.
- Consider placing a credit freeze or fraud alert on your credit files as an additional layer of protection.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.