HackerOne says employee data was stolen after breach at benefits provider Navia
5 min. read 
Published on
HackerOne says data belonging to 287 employees was exposed after a cyberattack on Navia Benefit Solutions, one of its U.S. benefits administrators. The company says the incident did not come from HackerOne’s own systems, but from Navia’s environment, where an attacker allegedly accessed sensitive records tied to employee benefits data.
According to HackerOne’s disclosure, the attacker had access to Navia data between December 22, 2025, and January 15, 2026. Navia detected suspicious activity on January 23, 2026, while the broader incident has been reported as affecting about 2.7 million people across Navia’s client base.
HackerOne says it did not receive formal notice until March, despite letters dated February 20, 2026. The company has criticized that timeline and says it is still waiting for a satisfactory explanation for the delay in notification.
The exposed data appears serious enough to create real follow-on risk. HackerOne says the stolen information may include Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, plan enrollment details, and information related to dependents. Even without direct financial account theft, that kind of data can fuel phishing, fraud, and identity theft.
What happened
HackerOne says Navia informed it that an unknown attacker exploited a Broken Object Level Authorization, or BOLA, flaw in Navia’s environment. The breach reportedly involved read-only access, which may have helped the intrusion avoid immediate detection because the attacker did not need to alter data or deploy ransomware to collect sensitive records.
Navia has separately disclosed a much larger breach affecting more than 2.6 million people. The company said it detected suspicious activity on January 23 and later determined that an unauthorized party had accessed certain data during the late-December to mid-January period. Maine’s breach filing lists the affected count at 2,697,540 people.
Why the HackerOne angle matters
This breach stands out because the downstream victim is a security company that helps organizations find and fix vulnerabilities. HackerOne manages bug bounty and vulnerability disclosure programs for major private companies and government agencies, so the incident highlights how third-party providers can still expose even security-focused businesses to personal data risk.
The case also shows why vendor notification timing matters. If a provider takes weeks to inform customers, the affected company loses valuable time to warn staff, rotate processes, and prepare for social engineering attempts. HackerOne has made clear that the delay is now part of its concern, not just the exposure itself.
What data was exposed
| Data type | Reported exposure |
|---|---|
| Identity data | Full names, dates of birth, Social Security numbers, email addresses, home addresses, and phone numbers |
| Benefits data | Plan enrollment dates, effective dates, termination dates, and related benefits records |
| Family data | Information tied to dependents of affected employees |
| Financial claims data | Navia said there was no evidence that claims or direct financial information were impacted |
What HackerOne is telling employees
HackerOne says affected employees should remain alert for suspicious emails, texts, and phone calls. The company also advised them to monitor financial accounts, consider changing passwords or security questions if they rely on exposed personal details, and enroll in the 12-month identity protection and credit monitoring service Navia is offering.
That advice makes sense because the exposed dataset contains enough information to support highly targeted phishing. Attackers do not always need banking data to cause damage. A full identity profile, paired with benefits details, can help them craft convincing employer-themed or government-themed lures. This is an inference based on the types of data disclosed and HackerOne’s own warning about phishing and fraud risk.
What this means for companies
The bigger lesson is not limited to HackerOne or Navia. This incident shows how benefits administrators and other back-office providers can become attractive targets because they hold sensitive employee records at scale. Once attackers reach those systems, the stolen data can create risk for thousands of employers at once.
It also shows that read-only breaches can still have serious consequences. If attackers quietly copy data rather than disrupt operations, companies may not notice the compromise quickly. That delay can widen the window for phishing, fraud, and identity theft after the theft itself.
What affected people should do now
- Watch for suspicious emails, calls, and texts that reference benefits, HR, COBRA, or tax documents.
- Review bank and credit card activity even though direct financial data was not reportedly exposed.
- Enroll in the free identity protection and credit monitoring service offered through Navia.
- Change security questions or passwords if they rely on exposed personal details such as birth dates, family names, or addresses.
- Consider placing a fraud alert or credit freeze if your Social Security number was included.
FAQ
HackerOne says the exposed employee data came from Navia Benefit Solutions, one of its U.S. benefits administrators, not from HackerOne’s own systems.
HackerOne’s filing says 287 employees were affected.
Maine’s filing lists 2,697,540 affected people, and public reporting describes the breach as affecting roughly 2.7 million individuals.
HackerOne said it was informed that a Broken Object Level Authorization, or BOLA, flaw in Navia’s environment allowed the unauthorized access.
Navia said the breach did not impact claims or financial information, based on the disclosures cited in reporting on the incident.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages