HackerOne Employees Affected by Navia Data Breach

The Breach at Navia

Navia Benefit Solutions, a U.S.-based provider of employee benefits administration, was the target of an attack that impacted over 2.6 million individuals. While the company provides a wide array of services, including Flexible Spending Accounts (FSAs), Health Savings Accounts (HSAs), and COBRA, the breach did not involve financial claims data. However, the compromised data did include personal information, such as Social Security numbers, full names, dates of birth, phone numbers, and email addresses.

The breach took place over a period of nearly a month, from December 22, 2025, to January 15, 2026. Suspicious activity was flagged on January 23, prompting Navia to launch an investigation into the extent of the breach. While no financial or claims data were exposed, the company noted that the personal information involved could still leave individuals vulnerable to phishing and social engineering attacks.

Following the discovery, Navia undertook a comprehensive review of its security protocols, making improvements where necessary. The company also notified impacted individuals and provided them with 12 months of free identity protection and credit monitoring services through Kroll.

The HackerOne Connection

While the breach initially seemed to be limited to Navia's own clients, the impact was far-reaching, affecting a number of employees at HackerOne. According to a filing with the Maine Attorney General, 287 HackerOne employees had their personal information exposed as a result of the breach. HackerOne, which runs a bug bounty platform and provides cybersecurity services to some of the world’s largest organizations, became aware of the breach several weeks after it occurred. The notification to HackerOne was delayed, arriving in March 2026 despite being sent by Navia in February.

The exposed information for HackerOne employees included full names, Social Security numbers, addresses, phone numbers, and email addresses. In some cases, details about their benefits enrollment were also compromised. This revelation underscores the interconnected risks that come with third-party services. Even companies focused on cybersecurity can find themselves vulnerable if one of their service providers is breached.

The HackerOne team has responded to the breach by launching its own investigation and working with Navia to understand the full scope of the incident. They are also reviewing Navia’s security practices to determine whether alternative providers should be considered for employee benefits management.

The Security Flaw and Impact

According to HackerOne, the breach was made possible by a Broken Object Level Authorization (BOLA) vulnerability. This type of security flaw allows attackers to access data they are not authorized to view, and in this case, it was exploited to access sensitive data at Navia. Although no group has taken responsibility for the attack, the breach remains a reminder of the potential consequences of security flaws in widely used services.

While Navia’s breach has not been tied to any specific criminal group or ransomware operation, the exposed data is enough to fuel phishing attempts and identity theft. Security experts continue to highlight the importance of ensuring that third-party services adhere to rigorous cybersecurity standards, especially when sensitive employee data is at stake.

Conclusion

The data breach at Navia Benefit Solutions serves as a stark reminder of the risks organizations face when outsourcing critical services to third parties. In this case, the breach not only affected millions of individuals but also impacted employees at HackerOne, a leading cybersecurity company. As the investigation continues, the exposure of sensitive personal data reinforces the need for robust security measures across all partners and suppliers. While HackerOne and Navia are taking steps to address the issue, the incident is a wake-up call for companies everywhere about the vulnerabilities that can arise from relying on external providers.