HackerOne Data Breach Traces Back to Third-Party Benefits Provider
HackerOne, a San Francisco-based cybersecurity firm specializing in bug bounty programs, disclosed a data breach affecting 287 U.S.-based employees and dependents. The incident originated from Navia Benefit Solutions Inc., a third-party benefits administrator based in Renton, Washington, rather than HackerOne’s own systems.
The breach was discovered on January 23, 2026, after Navia detected suspicious activity between December 22, 2025, and January 15, 2026. An investigation revealed that a Broken Object Level Authorization (BOLA) vulnerability in Navia’s systems allowed an unauthorized actor to access and exfiltrate sensitive data. The exposed information included Social Security numbers, full names, addresses, dates of birth, email addresses, health plan details, and dependent data.
Navia notified affected companies, including HackerOne, on February 20, 2026, after completing its review. HackerOne confirmed the breach’s legitimacy in a meeting with Navia on March 13, 2026, and began notifying impacted individuals via written notices on March 17, 2026. The breach was formally disclosed to the Maine Attorney General on March 23, 2026, with one Maine resident among those affected.
HackerOne stated it is still awaiting further details from Navia regarding the vulnerability and is evaluating the provider’s security practices. While Navia has found no evidence of data misuse, HackerOne is treating the incident as a potential risk for identity theft, fraud, or financial loss. As a remedial measure, Navia is offering complimentary credit monitoring services through Kroll to affected individuals.
Affected parties can direct inquiries to security@hackerone.com or Navia’s dedicated assistance line, as outlined in individual notifications.
Source: https://www.claimdepot.com/data-breach/hackerone-2026
Navia Benefit Solutions, Inc. cybersecurity rating report: https://www.rankiteo.com/company/navia-benefit-solutions-inc
HackerOne cybersecurity rating report: https://www.rankiteo.com/company/hackerone
"id": "NAVHAC1774377242",
"linkid": "navia-benefit-solutions-inc, hackerone",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '287 U.S.-based employees and '
'dependents',
'industry': 'Information Technology',
'location': 'San Francisco, California, USA',
'name': 'HackerOne',
'type': 'Cybersecurity Firm'},
{'industry': 'Human Resources/Employee Benefits',
'location': 'Renton, Washington, USA',
'name': 'Navia Benefit Solutions Inc.',
'type': 'Third-Party Benefits Administrator'}],
'attack_vector': 'Third-Party Compromise',
'customer_advisories': 'Affected individuals notified via written notices; '
'inquiries directed to security@hackerone.com or '
'Navia’s assistance line',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '287',
'personally_identifiable_information': 'Social Security '
'numbers, full names, '
'addresses, dates of '
'birth, email '
'addresses',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII), Health Plan '
'Details'},
'date_detected': '2026-01-23',
'date_publicly_disclosed': '2026-03-23',
'description': 'HackerOne disclosed a data breach affecting 287 U.S.-based '
'employees and dependents, originating from Navia Benefit '
'Solutions Inc., a third-party benefits administrator. The '
'breach involved unauthorized access to sensitive data due to '
'a Broken Object Level Authorization (BOLA) vulnerability in '
'Navia’s systems.',
'impact': {'brand_reputation_impact': 'Potential risk to HackerOne’s '
'reputation due to third-party breach',
'data_compromised': 'Social Security numbers, full names, '
'addresses, dates of birth, email addresses, '
'health plan details, and dependent data',
'identity_theft_risk': 'High',
'systems_affected': 'Navia Benefit Solutions Inc. systems'},
'investigation_status': 'Ongoing (awaiting further details from Navia)',
'post_incident_analysis': {'corrective_actions': 'Evaluation of Navia’s '
'security practices; '
'offering credit monitoring '
'services',
'root_causes': 'Broken Object Level Authorization '
'(BOLA) vulnerability in Navia’s '
'systems'},
'references': [{'source': 'HackerOne Disclosure'}],
'regulatory_compliance': {'regulatory_notifications': 'Maine Attorney '
'General'},
'response': {'communication_strategy': 'Written notices to affected '
'individuals, disclosure to Maine '
'Attorney General',
'remediation_measures': 'Navia is offering complimentary credit '
'monitoring services through Kroll',
'third_party_assistance': 'Kroll (credit monitoring services)'},
'title': 'HackerOne Data Breach Traces Back to Third-Party Benefits Provider',
'type': 'Data Breach',
'vulnerability_exploited': 'Broken Object Level Authorization (BOLA)'}