HackerOne recently disclosed a data breach affecting 287 of its employees following a cyberattack on its U.S. benefits administrator, Navia Benefit Solutions.
The breach stemmed from a Broken Object Level Authorization (BOLA) vulnerability in Navia’s API, which exposed the sensitive personal and health information of approximately 2.7 million individuals nationwide.
An unknown threat actor exploited a Broken Object Level Authorization (BOLA) flaw within an Application Programming Interface (API) endpoint belonging to Navia Benefit Solutions.
This vulnerability granted the attacker unauthorized, read-only access to internal systems without altering data or deploying ransomware, which allowed the intrusion to remain undetected for several weeks.
Compromised HackerOne Employee Data
The unauthorized access occurred between December 22, 2025, and January 15, 2026. Navia officially detected the suspicious activity on January 23, 2026, and subsequently launched an internal forensic investigation alongside federal law enforcement.
Despite discovering the breach in late January, HackerOne reported a significant delay in receiving the disclosure. Navia reportedly sent notification letters dated February 20, 2026, but HackerOne did not receive formal notice until March.
After verifying the incident, HackerOne met with Navia on March 13, 2026, to assess the scope of the compromised data. The bug bounty platform has openly criticized the delayed timeline and is demanding a satisfactory explanation from the benefits administrator.
Consequently, HackerOne has launched its own internal investigation to evaluate Navia’s privacy and security practices, warning that it may explore alternative benefits providers if these standards are not met.
While financial and claims details were not exfiltrated, the exposed dataset provides sufficient material for sophisticated social engineering, identity theft, and phishing campaigns.
The breach compromised the data of 287 HackerOne employees, contributing to the 2.7 million total victims across Navia’s 10,000 corporate clients.
HackerOne is proceeding under the assumption that the compromised information could still be abused by threat actors. Employees have been advised to remain highly vigilant against targeted phishing attempts that may leverage the stolen data to impersonate employers or government agencies.
Affected individuals are urged to monitor their financial accounts for unusual activities, update relevant passwords and security questions, and take advantage of the complimentary identity protection services.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
