Bug bounty platform HackerOne is notifying tons of of staff that their knowledge was stolen after attackers hacked Navia, one in all its U.S. advantages directors.
HackerOne manages over 1,950 bug bounty packages and offers vulnerability disclosure, penetration testing, and code security providers to high-profile firms like Common Motors, Goldman Sachs, Anthropic, GitHub, and Uber, in addition to to U.S. authorities businesses such because the Division of Protection.
Navia is a number one consumer-focused advantages administrator serving over 10,000 employers throughout america.
In a submitting with the Workplace of the Maine Legal professional Common, HackerOne additionally revealed that the data breach uncovered the delicate info of 287 staff.
“At the moment, we have now been knowledgeable {that a} Damaged Object Stage Authorization (BOLA) vulnerability led to an unknown actor accessing Navia knowledge between December 22, 2025, and January 15, 2026,” the corporate stated. “On January 23, 2026, Navia turned conscious of suspicious exercise of their setting. Navia despatched letters dated February 20, 2026 to impacted firms.”
The uncovered info features a mixture of Social Safety numbers, full names, addresses, cellphone numbers, dates of delivery, electronic mail addresses, plan enrollment dates, efficient dates, and termination dates for every affected worker and their dependents.
HackerOne additionally inspired impacted staff to be cautious of suspicious messages, monitor their monetary accounts for uncommon exercise, and benefit from the 12-month free identification safety and credit score monitoring service supplied by Navia.
“You might also wish to take into account altering passwords or password hints/security questions in the event that they contain the non-public knowledge listed above,” the corporate added.
When it disclosed the incident earlier this month, Navia underlined that the data breach didn’t influence affected people’ claims or monetary info.
Nevertheless, the uncovered knowledge is ample for risk actors to launch phishing and social engineering assaults towards folks impacted by the incident.
Though Navia flagged the incident as an information theft assault, no cybercrime group or ransomware operation has taken accountability for the breach.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your security stack is blinded.
