HackerOne Employee Data Exposed in Massive Navia Breach

Cybersecurity firm HackerOne is notifying nearly 300 employees that their personal information was exposed in a data breach recently disclosed by third-party benefits administrator Navia Benefit Solutions. Navia revealed last week that it discovered unauthorized access to its systems on January 23, and an investigation found that the attacker had access between December 22, 2025, and January 15, 2026.  The company said the hackers accessed and acquired information such as names, dates of birth, Social Security numbers, phone numbers, email addresses, and health plan information. Navia told the Maine Attorney General’s Office that nearly 2.7 million individuals are impacted by the data breach. In a notification submitted this week to the Maine AGO, bug bounty platform and offensive security solutions provider HackerOne said it was recently notified by Navia, which serves as one of its US benefits administrators, that the information of 287 employees may have been affected by the data breach. HackerOne said the notification it received from Navia was dated February 20, but it was only delivered in March. “The safe handling of your personal data is core to who we are as an organization, and HackerOne is treating this as requiring our critical attention,” HackerOne said. “We will undertake our own investigation to assess this incident and are actively communicating with Navia to understand more about how and why this incident occurred and identify immediate areas for improvement to ensure the data of our employees and their dependents is protected.” It added, “HackerOne will also be evaluating Navia’s privacy and security policies and practices. If we are not satisfied, we will explore other potential options for benefits providers with our broker.” Navia said in its notification to impacted individuals that it’s not aware of “any attempted or actual misuse” of the exposed information.  However, ‘no evidence of misuse’ is a standard disclaimer frequently issued by breached companies.  In Navia’s case there is no indication that cybercriminals have made public any data stolen from the company’s systems, but the aforementioned disclaimer has been used in the past even by firms that had their data publicly leaked. Related: Extortion Group Claims It Hacked AstraZeneca Related: 3.1 Million Impacted by QualDerm Data Breach Related: Mazda Says Employee, Partner Information Stolen in Cyberattack Related: Thousands Affected by Ericsson Data Breach WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Stryker Says Malicious File Found During Probe Into Iran-Linked Attack M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability Critical Quest KACE Vulnerability Potentially Exploited in Attacks US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ Sites Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation Marquis Data Breach Affects 672,000 Individuals CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability Latest News DoE Publishes 5-Year Energy Security Plan Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Poland Faced a Surge in Cyberattacks in 2025, Including a Major Assault on the Energy Sector RSAC 2026 Conference Announcements Summary (Day 1) Extortion Group Claims It Hacked AstraZeneca Chrome 146 Update Patches High-Severity Vulnerabilities Webinar Today: Putting CIS Controls and Benchmarks into Practice 3.1 Million Impacted by QualDerm Data Breach Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move The US Senate confirmed Markwayne Mullin as DHS Secretary. 7AI has appointed Israel Barak as its first Chief Information Security Officer. Brian Harrell has been appointed Chief Security Officer at FirstEnergy. More People On The Move Expert Insights Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Email