HackerOne Employee Data Breached in Navia Attack
▼ Summary
– HackerOne notified hundreds of employees that their data was stolen after a hack of its benefits administrator, Navia.
– The breach exposed sensitive personal information, including Social Security numbers and addresses, for 287 employees and their dependents.
– Navia stated a Broken Object Level Authorization vulnerability allowed unauthorized access between December 2025 and January 2026.
– The company is offering affected employees a 12-month identity protection service and advised vigilance against phishing.
– No cybercrime group has claimed responsibility for the breach, which did not impact claims or financial information.
A major bug bounty and cybersecurity services provider has confirmed that sensitive personal data belonging to hundreds of its staff was compromised in a breach at a third-party vendor. HackerOne, which operates security programs for prominent clients including General Motors, Goldman Sachs, and U.S. government agencies, reported that the incident stemmed from a hack at Navia, its U.S. benefits administrator.
According to a regulatory filing, the personal information of 287 HackerOne employees was exposed. Navia, which serves over 10,000 employers nationally, informed HackerOne that a Broken Object Level Authorization (BOLA) vulnerability allowed an unauthorized actor to access its systems between late December 2025 and mid-January 2026. The administrator detected suspicious activity on January 23 and began notifying impacted companies in late February.
The stolen data is extensive, posing a significant risk to those affected. It includes Social Security numbers, full names, physical addresses, phone numbers, and dates of birth. Email addresses, along with plan enrollment, effective, and termination dates for employees and their dependents, were also part of the breach.
While Navia has stated the incident did not affect individuals’ claims or financial account details, the scope of the exposed information is a serious concern. This data provides ample material for phishing and social engineering attacks. In response, HackerOne is advising impacted staff to remain vigilant against suspicious communications and to closely monitor their financial accounts.
The company is directing employees to utilize a 12-month free identity protection and credit monitoring service offered by Navia. It also recommends that individuals consider changing passwords and security question answers if they are based on any of the compromised personal details.
To date, no cybercrime group or ransomware operation has claimed responsibility for the intrusion, which Navia has classified as a data theft attack. The incident underscores the persistent risks associated with third-party vendor relationships, even for firms whose core business is cybersecurity.
(Source: BleepingComputer)
