HackerOne Discloses Employee Data Breach Following Navia Cyber Attack

Post Views: 4

HackerOne Discloses Employee Data Breach After Navia Hack

The bug bounty platform HackerOne has notified hundreds of employees that their data was compromised following a hack of Navia, one of its U.S.-based benefits administrators. This revelation underscores the interconnected nature of modern cybersecurity risks, where vulnerabilities in third-party vendors can have far-reaching consequences.

Breach Details

Navia, a leading consumer-focused benefits administrator, serves over 10,000 employers across the United States. Its breach exposed sensitive information, including Social Security numbers, full names, addresses, phone numbers, dates of birth, and employment details for approximately 287 employees and their dependents.

According to HackerOne, the breach resulted from a Broken Object Level Authorization (BOLA) vulnerability, which allowed unauthorized access to Navia data between December 22, 2025, and January 15, 2026.

On January 23, 2026, Navia detected suspicious activity in its environment, prompting it to notify affected parties.

Risk Assessment

The breached data poses a significant risk to the individuals involved, making them vulnerable to phishing and social engineering attacks. To mitigate this risk, HackerOne encouraged affected employees to monitor their financial accounts for unusual activity and to utilize the 12-month free identity protection and credit monitoring service offered by Navia.

Although Navia emphasized that the breach did not affect claimants’ financial information, the exposed data remains a concern due to its potential misuse by threat actors.

At present, t