HackerOne discloses employee data breach after Navia hack

Summary

Bug bounty platform HackerOne notified 287 employees that their personal data was stolen after attackers exploited a Broken Object Level Authorization (BOLA) vulnerability in Navia, a U.S. benefits administrator. The breach exposed Social Security numbers, names, addresses, phone numbers, dates of birth, and enrollment information between December 22, 2025, and January 15, 2026. HackerOne, which manages 1,950+ bug bounty programs for major firms and U.S. government agencies, is offering affected employees 12 months of free identity protection and credit monitoring.

Full text

HackerOne discloses employee data breach after Navia hack By Sergiu Gatlan March 24, 2026 10:01 AM 0 Bug bounty platform HackerOne is notifying hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators. HackerOne manages over 1,950 bug bounty programs and provides vulnerability disclosure, penetration testing, and code security services to high-profile companies like General Motors, Goldman Sachs, Anthropic, GitHub, and Uber, as well as to U.S. government agencies such as the Department of Defense. Navia is a leading consumer-focused benefits administrator serving over 10,000 employers across the United States. In a filing with the Office of the Maine Attorney General, HackerOne also revealed that the data breach exposed the sensitive information of 287 employees. "At this time, we have been informed that a Broken Object Level Authorization (BOLA) vulnerability led to an unknown actor accessing Navia data between December 22, 2025, and January 15, 2026," the company said. "On January 23, 2026, Navia became aware of suspicious activity in their environment. Navia sent letters dated February 20, 2026 to impacted companies." The exposed information includes a combination of Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, plan enrollment dates, effective dates, and termination dates for each affected employee and their dependents. HackerOne also encouraged impacted employees to be cautious of suspicious messages, monitor their financial accounts for unusual activity, and take advantage of the 12-month free identity protection and credit monitoring service provided by Navia. "You may also want to consider changing passwords or password hints/security questions if they involve the personal data listed above," the company added. When it disclosed the incident earlier this month, Navia underlined that the data breach did not impact affected individuals' claims or financial information. However, the exposed data is sufficient for threat actors to launch phishing and social engineering attacks against people impacted by the incident. Although Navia flagged the incident as a data theft attack, no cybercrime group or ransomware operation has taken responsibility for the breach. Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. Download The Report Related Articles: Navia discloses data breach impacting 2.7 million peopleAd tech firm Optimizely confirms data breach after vishing attackDutch Ministry of Finance discloses breach affecting employeesMazda discloses security breach exposing employee and partner dataStarbucks discloses data breach affecting hundreds of employees

Indicators of Compromise

• mitre_attack — Broken Object Level Authorization (BOLA)