HackerOne Employee Data Leaked in Major Navinfo Security Breach
Employee Data Exposure Highlights Need for Enhanced Benefits Provider Security
On February 20, HackerOne, a prominent bug bounty platform and offensive security solutions provider, learned from Navia Benefit Solutions, its third-party benefits administrator, that employee data had been compromised in a recent data breach.
The breach, which occurred between December 22, 2025, and January 15, 2026, resulted in the exposure of sensitive information, including names, dates of birth, Social Security numbers, phone numbers, addresses, and health plan details.
Nearly 2.7 million individuals were affected by the breach, with 287 being employees of HackerOne.
Details of the Breach
- Date of breach: December 22, 2025 – January 15, 2026
- Affected information:
- Names
- Dates of birth
- Social Security numbers
- Phone numbers
- Addresses
- Health plan details
- Number of affected individuals: 2.7 million
- Number of HackerOne employees affected: 287
According to HackerOne:
HackerOne stated that it would conduct its own investigation into the incident and communicate closely with Navia to understand the circumstances surrounding the breach.
The company also expressed its intention to evaluate Navia’s privacy and security policies, with potential consequences if standards are not met.
Risks Associated with External Parties
The data breach highlights the risks associated with entrusting sensitive information to external parties, emphasizing the need for enhanced security protocols in benefits administration.
While the breach itself does not appear to have resulted in malicious activity, the incident serves as a reminder of the importance of vigilance and proactive security measures in protecting sensitive data.
Related Incidents
- Aisuru, a benefits administrator, reported a breach affecting over 670,000 individuals
- The U.S. Department of Energy published a five-year energy security plan aimed at mitigating potential threats to the nation’s energy infrastructure