Digital code streaming across a dark screen representing cybersecurity and data

TL;DR: HackerOne, the company that runs the world's largest bug bounty platform, just disclosed its own data breach. 287 employees had their Social Security numbers, health plan data, and personal information stolen through a Broken Object Level Authorization (BOLA) vulnerability at Navia Benefit Solutions, HackerOne's benefits administrator. The company that helps others find security flaws got burned by basic API security failures at a third-party vendor.

The irony writes itself

HackerOne's entire business model is finding security vulnerabilities before bad actors do. They've paid out over $300 million to ethical hackers for discovering bugs at companies like Google, Microsoft, and the U.S. Department of Defense.

Now they're on the other side of the breach notification form.

"The safe handling of your personal data is core to who we are as an organization," HackerOne told affected employees in their disclosure. That statement hits different when you're the victim instead of the solution.

What happened

The breach didn't happen at HackerOne directly. It happened at Navia Benefit Solutions, the company HackerOne uses to manage employee benefits like flexible spending accounts and health reimbursement arrangements.

Between December 22, 2025 and January 15, 2026, an attacker exploited a BOLA (Broken Object Level Authorization) vulnerability in Navia's API. This type of flaw lets attackers access data belonging to other users by manipulating object identifiers in API requests. Basic stuff, and exactly the kind of bug HackerOne's platform helps companies find.

The vulnerability granted read-only access. No data was modified. No ransomware deployed. The attacker could quietly pull records without triggering typical intrusion alerts. For 25 days, they had access to employee data across Navia's 10,000+ corporate clients.

Timeline

  • December 22, 2025: Unauthorized access begins
  • January 15, 2026: Access ends
  • January 23, 2026: Navia discovers suspicious activity
  • February 20, 2026: Navia notifies affected companies
  • March 2026: HackerOne receives notification and files with Maine Attorney General

HackerOne is clearly frustrated with the timeline. The company called out Navia's "seemingly slow response" and says it only received the breach notification letter in March, weeks after Navia's internal discovery.

What got exposed

For those 287 HackerOne employees, the stolen data includes:

  • Full names
  • Social Security numbers
  • Dates of birth
  • Phone numbers and email addresses
  • Physical addresses
  • Health plan enrollment details
  • Plan effective dates and termination dates
  • Dependent information

This is the identity theft starter pack. SSN plus DOB plus address is everything a fraudster needs to open credit lines, file tax returns, or commit healthcare fraud in your name.

HackerOne's 287 affected employees are just a fraction of the total damage. Navia's breach impacted approximately 2.7 million people across their entire client base.

The third-party problem

HackerOne runs a tight security ship. They have to. Their reputation depends on it. But even security companies can't fully control what happens at their vendors.

This is the supply chain security problem that keeps CISOs awake at night. You can have world-class security internally, but one vendor with a sloppy API undoes all of it. HackerOne did due diligence when selecting a benefits provider. Navia is a major player serving over 10,000 employers. None of that mattered when the BOLA vulnerability was sitting there waiting to be found.

HackerOne says it's launched an internal investigation to evaluate Navia's "privacy and security practices" and may explore alternative benefits providers if these standards aren't met. Translation: they're considering firing Navia.

BOLA: The vulnerability that keeps giving

Broken Object Level Authorization consistently ranks in the OWASP API Security Top 10. It's not exotic. It's not sophisticated. It happens when an API doesn't properly verify that a user should have access to the specific object they're requesting.

Example: If an API lets you view your benefits by calling /api/employee/12345, a BOLA vulnerability means changing that to /api/employee/12346 would show you someone else's data. The system doesn't check whether you're authorized to see employee 12346, it just serves up the data.

This is exactly the type of vulnerability that HackerOne's platform helps companies find and fix every day. The irony is almost poetic.

What affected employees should do

Freeze your credit immediately

Don't wait. Contact Equifax, Experian, and TransUnion to freeze your credit files. This stops new accounts from being opened in your name. It's free and takes 10 minutes per bureau.

Get an IRS Identity Protection PIN

With your SSN exposed, tax fraud is a real risk. Request an IP PIN at irs.gov. This prevents anyone from filing a tax return using your Social Security number.

Monitor your benefits accounts

Log into your FSA, HRA, or other benefits accounts and check for unfamiliar claims or transactions. Healthcare fraud often flies under the radar.

Watch for phishing

Attackers now have your work email, phone number, and employer information. Expect targeted phishing attempts. Be suspicious of any unexpected communications about benefits, HR matters, or security issues.

The bigger picture

This breach underscores a hard truth: nobody is immune. Not security companies. Not companies that literally pay hackers to find vulnerabilities. The attack surface extends to every vendor, contractor, and service provider with access to your data.

HackerOne will recover. They'll likely tighten vendor security requirements and use this experience to inform their own platform. But for those 287 employees with their SSNs floating around, the damage is done.

There's no evidence yet that the stolen data has been misused. But breached data has a long shelf life. It gets combined with other datasets, sold on dark web forums, and used for years after the initial theft.

References

  1. SecurityWeek - HackerOne Employee Data Exposed in Massive Navia Breach
  2. Security Affairs - Recent Navia data breach impacts HackerOne employee data
  3. Cybersecurity News - HackerOne Data Breach: Employees Data Stolen Following Navia Hack
  4. TechRadar - HackerOne says employees hit by data breach and Navia hack is to blame
  5. CyberPress - HackerOne Data Breach: Employee Data Stolen in Navia-Linked Hack