In a recent cybersecurity incident, HackerOne disclosed a breach impacting 287 of its employees. This breach was a result of a cyberattack on Navia Benefit Solutions, the company’s U.S. benefits administrator.
Details of the Vulnerability
The breach originated from a vulnerability known as Broken Object Level Authorization (BOLA) within Navia’s API. This flaw exposed the personal and health information of around 2.7 million individuals across the nation.
A currently unidentified attacker took advantage of this BOLA vulnerability in Navia’s API endpoint, allowing unauthorized, read-only access to internal systems. The absence of data alteration or ransomware deployment meant that the breach remained undetected for several weeks.
Timeline of the Breach
The unauthorized access spanned from December 22, 2025, to January 15, 2026. Navia detected suspicious activities on January 23, 2026, and promptly initiated a forensic investigation with federal law enforcement.
Despite identifying the breach in January, HackerOne experienced delays in receiving the official disclosure. Although Navia issued notification letters on February 20, 2026, HackerOne was formally informed only in March. Following verification, HackerOne met Navia on March 13, 2026, to evaluate the breach’s extent.
Implications and Response
HackerOne has criticized the notification delay and is demanding clarity from Navia. The bug bounty platform has also started its own investigation into Navia’s privacy and security measures, indicating potential shifts in benefits providers if standards aren’t met.
Although financial data remains secure, the breach provides material conducive to social engineering, identity theft, and phishing operations. HackerOne is operating under the assumption that the leaked data could still be exploited, advising employees to be cautious of phishing attempts that may impersonate employers or officials.
Affected individuals should vigilantly monitor their financial activities, update passwords and security questions, and utilize the offered identity protection services.
