HackerOne Data Breach – Employees Data Stolen Following Navia Hack

Home Cyber Security HackerOne Data Breach – Employees Data Stolen Following Navia Hack HackerOne recently disclosed a data breach affecting 287 of its employees following a cyberattack on its U.S. benefits administrator, Navia Benefit Solutions. The breach stemmed from a Broken Object Level Authorization (BOLA) vulnerability in Navia’s API, which exposed the sensitive personal and health information of approximately 2.7 million individuals nationwide. An unknown threat actor exploited a Broken Object Level Authorization (BOLA) flaw within an Application Programming Interface (API) endpoint belonging to Navia Benefit Solutions. This vulnerability granted the attacker unauthorized, read-only access to internal systems without altering data or deploying ransomware, which allowed the intrusion to remain undetected for several weeks. Compromised HackerOne Employee Data The unauthorized access occurred between December 22, 2025, and January 15, 2026. Navia officially detected the suspicious activity on January 23, 2026, and subsequently launched an internal forensic investigation alongside federal law enforcement. Despite discovering the breach in late January, HackerOne reported a significant delay in receiving the disclosure. Navia reportedly sent notification letters dated February 20, 2026, but HackerOne did not receive formal notice until March. After verifying the incident, HackerOne met with Navia on March 13, 2026, to assess the scope of the compromised data. The bug bounty platform has openly criticized the delayed timeline and is demanding a satisfactory explanation from the benefits administrator. Consequently, HackerOne has launched its own internal investigation to evaluate Navia’s privacy and security practices, warning that it may explore alternative benefits providers if these standards are not met. While financial and claims details were not exfiltrated, the exposed dataset provides sufficient material for sophisticated social engineering, identity theft, and phishing campaigns. The breach compromised the data of 287 HackerOne employees, contributing to the 2.7 million total victims across Navia’s 10,000 corporate clients. HackerOne is proceeding under the assumption that the compromised information could still be abused by threat actors. Employees have been advised to remain highly vigilant against targeted phishing attempts that may leverage the stolen data to impersonate employers or government agencies. Affected individuals are urged to monitor their financial accounts for unusual activities, update relevant passwords and security questions, and take advantage of the complimentary identity protection services. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Dell Wyse Management Vulnerabilities Enables Complete System Compromise Cyber Security News Tycoon2FA Operators Resume Cloud Account Phishing After Infrastructure Disruption Cyber Security News CanisterWorm Gets Destructive as TeamPCP Deploys Iran-Focused Kubernetes Wiper Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026