- HackerOne confirms supply chain breach via Navia service provider
- 287 employees’ sensitive data exposed, including SSNs, addresses and health plan information
- HackerOne criticizes Navia’s slow response; no evidence of data abuse yet, but overall 2.7 million people are affected
HackerOne has revealed that it was the victim of a supply chain attack in which it lost sensitive employee data.
The company has filed a new report with the Office of the Maine Attorney General confirming that 287 of its employees lost a combination of: social security number, full name, address, phone number, date of birth, email address, health plan participation (Y/N), non-health plan participation (Y/N), plan enrollment date, effective dates and termination dates.
In a letter sent to affected individuals, HackerOne explained that in late December 2025 and early January 2026, a threat actor managed to exploit a Broken Object Level Authorization (BOLA) vulnerability in Navia, a provider of employee benefits solutions.
The article continues below
No claims yet
“On January 23, 2026, Navia became aware of suspicious activity in their environment. Navia sent letters dated February 20, 2026 to affected companies,” the letter continues.
HackerOne said it only received the letter in March 2026, and slammed the service provider for its apparently slow response:
“We are still awaiting further information about the vulnerability that led to this incident and a satisfactory reason for the delay in their notification to us,” HackerOne said. The company emphasized that it will analyze Navia’s security practices directly and reevaluate the use of its services.
So far, there is no evidence to suggest that the stolen data is being misused in the wild, HackerOne says. However, it still urges all affected individuals to be cautious about incoming emails and other forms of communication, especially those claiming to be from either HackerOne or Navia.
Navia manages benefits for more than 10,000 US employers. According to an earlier report by TechRepublicthe Navia breach affected nearly 2.7 million people. No threat actor groups have yet claimed responsibility for the attack.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
