- HackerOne confirms supply chain breach via benefits provider Navia
- Sensitive data of 287 exposed employees, including social security numbers, addresses and health plan details
- HackerOne criticizes Navia’s slow response; There is no evidence of data misuse yet, but in total there are 2.7 million people affected
HackerOne has revealed that it was the victim of a supply chain attack in which it lost confidential data of its employees.
The company filed a new report with the Maine Attorney General’s Office, confirming that 287 of its employees lost a combination of: social security number, full name, address, telephone number, date of birth, email address, health plan participation (Y/N), non-medical plan participation (Y/N), plan enrollment dates, effective dates, and termination dates.
In a letter sent to affected individuals, HackerOne explained in late December 2025 and early January 2026, a threat actor managed to exploit a Broken Object Level Authorization (BOLA) vulnerability in Navia, an employee benefits solutions provider.
Article continues below.
No complaints yet
“On January 23, 2026, Navia became aware of suspicious activity in its environment. Navia sent letters dated February 20, 2026 to the affected companies,” the letter further reads.
HackerOne said it received the letter only in March 2026, criticizing the service provider for its apparently slow response:
“We are still awaiting additional information about the vulnerability that led to this incident and a satisfactory reason for the delay in reporting it,” HackerOne said. The company stressed that it will directly analyze Navia’s security practices and reassess the use of its services.
So far, there is no evidence to suggest that stolen data is being abused in the wild, HackerOne says. However, it still urges all affected people to be careful with incoming emails and other forms of communication, especially those claiming to come from HackerOne or Navia.
Navia manages benefits for more than 10,000 U.S. employers. According to a previous report by Technological RepublicThe Navia breach affected almost 2.7 million people. No group of threat actors has yet claimed responsibility for the attack.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
