Skip to content
Tech News
← Back to articles

HackerOne discloses employee data breach after Navia hack

2026-03-24 | original
read original get Cybersecurity Data Breach Kit → more articles
Why This Matters

The data breach at HackerOne, stemming from a hack of Navia, highlights the ongoing risks of cyberattacks targeting employee and sensitive data. This incident underscores the importance for tech companies and consumers to prioritize robust security measures and vigilant monitoring to mitigate potential damages from such breaches.

Key Takeaways

Bug bounty platform HackerOne is notifying hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators.

HackerOne manages over 1,950 bug bounty programs and provides vulnerability disclosure, penetration testing, and code security services to high-profile companies like General Motors, Goldman Sachs, Anthropic, GitHub, and Uber, as well as to U.S. government agencies such as the Department of Defense.

Navia is a leading consumer-focused benefits administrator serving over 10,000 employers across the United States.

In a filing with the Office of the Maine Attorney General, HackerOne also revealed that the data breach exposed the sensitive information of 287 employees.

"At this time, we have been informed that a Broken Object Level Authorization (BOLA) vulnerability led to an unknown actor accessing Navia data between December 22, 2025, and January 15, 2026," the company said. "On January 23, 2026, Navia became aware of suspicious activity in their environment. Navia sent letters dated February 20, 2026 to impacted companies."

The exposed information includes a combination of Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, plan enrollment dates, effective dates, and termination dates for each affected employee and their dependents.

HackerOne also encouraged impacted employees to be cautious of suspicious messages, monitor their financial accounts for unusual activity, and take advantage of the 12-month free identity protection and credit monitoring service provided by Navia.

"You may also want to consider changing passwords or password hints/security questions if they involve the personal data listed above," the company added.

When it disclosed the incident earlier this month, Navia underlined that the data breach did not impact affected individuals' claims or financial information.

However, the exposed data is sufficient for threat actors to launch phishing and social engineering attacks against people impacted by the incident.

... continue reading

Explore topics: hackerone navia bug bounty bola vulnerability employee data
Related:
Mazda discloses security breach exposing employee and partner data
Navia discloses data breach impacting 2.7 million people
Veeam warns of critical flaws exposing backup servers to RCE attacks
Workers Are Afraid AI Will Take Their Jobs. They’re Missing the Bigger Danger.
Curl ending bug bounty program after flood of AI slop reports

© 2026 GoKawiil

About | Editorial Policy | Contact