Nearly 300 HackerOne employees had sensitive personal data exposed after a Broken Object Level Authorization (BOLA) vulnerability was exploited in Navia Benefit Solutions, a third-party employee benefits administrator. The breach occurred between December 22, 2025 and January 15, 2026, but HackerOne didn't receive formal notification until March — weeks after Navia detected suspicious activity in late January. HackerOne publicly criticized Navia for the delayed disclosure and is reviewing whether to switch benefits providers. The broader Navia breach affected over 2.6 million people. Compromised data includes Social Security Numbers, health plan details, and personal identifiers — prime identity theft material.
Sort: