HackerOne Breach: Employee Data Stolen After Navia

HackerOne has confirmed a data breach impacting 287 of its employees. The incident stemmed from a cyberattack targeting Navia Benefit Solutions, the company’s U.S. benefits administrator.

The breach stemmed from a Broken Object Level Authorization (BOLA) vulnerability in Navia’s API, which exposed the sensitive personal and health information of approximately 2.7 million individuals nationwide.

An unknown threat actor exploited a Broken Object Level Authorization (BOLA) flaw within an Application Programming Interface (API) endpoint belonging to Navia Benefit Solutions.

This vulnerability granted the attacker unauthorized, read-only access to internal systems without altering data or deploying ransomware, which allowed the intrusion to remain undetected for several weeks.

Compromised HackerOne Employee Data

The unauthorized access occurred between December 22, 2025, and January 15, 2026. Navia officially detected the suspicious activity on January 23, 2026, and subsequently launched an internal forensic investigation alongside federal law enforcement.

Despite discovering the breach in late January, HackerOne reported a significant delay in receiving the disclosure. Navia reportedly sent notification letters dated February 20, 2026, but HackerOne did not receive formal notice until March.

After verifying the incident, HackerOne met with Navia on March 13, 2026, to assess the scope of the compromised data. The bug bounty platform has openly criticized the delayed timeline and is demanding a satisfactory explanation from the benefits administrator.

Consequently, HackerOne has launched its own internal investigation to evaluate Navia’s privacy and security practices, warning that it may explore alternative benefits providers if these standards are not met.

While financial and claims details were not exfiltrated, the exposed dataset provides sufficient material for sophisticated social engineering, identity theft, and phishing campaigns.

The breach compromised the data of 287 HackerOne employees, contributing to the 2.7 million total victims across Navia’s 10,000 corporate clients.

HackerOne is proceeding under the assumption that the compromised information could still be abused by threat actors. Employees have been advised to remain highly vigilant against targeted phishing attempts that may leverage the stolen data to impersonate employers or government agencies.

Affected individuals are urged to monitor their financial accounts for unusual activities, update relevant passwords and security questions, and take advantage of the complimentary identity protection services.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.