HackerOne employees compromised in Navia Benefit Solutions hack

Bug bounty platform HackerOne had information from nearly 300 of its employees breached as a result of a cyberattack against its third-party benefits provider Navia Benefit Solutions, which was reported to have impacted over 2.6 million individuals, The Register reports. Abuse of a Broken Object Level Authorization vulnerability within the Navia environment enabled threat actors to compromise sensitive HackerOne employee information, including full names, birthdates, Social Security numbers, home and email addresses, and health plan details, between Dec. 22, 2025 and Jan. 15, 2026, said HackerOne in breach notifications sent to affected workers and filed with Maine regulators. Despite Navia's assertions that no data misuse has been observed so far, HackerOne which criticized its vendor's weeks-long delay in sending formal breach notices called on employees to be vigilant of potential phishing and fraud attacks, as well as consider credit locking, as it reevaluates the security and privacy measures implemented by Navia.