HackerOne has confirmed that the personal data of hundreds of its employees was exposed following a security breach at Navia, a U.S.-based benefits administrator used by the company.
The incident affected 287 employees, according to a filing with the Office of the Maine Attorney General. Navia, which provides benefits services to more than 10,000 employers across the United States, experienced unauthorized access to its systems due to a security vulnerability.
HackerOne stated that the breach was linked to a Broken Object Level Authorization (BOLA) vulnerability. This flaw allowed an unknown attacker to access Navia’s data between December 22, 2025, and January 15, 2026. Navia detected suspicious activity on January 23 and later notified impacted organizations in February.
The exposed information includes sensitive personal details such as full names, Social Security numbers, addresses, phone numbers, dates of birth, email addresses, and benefit-related data like enrollment and termination dates. The data also extends to dependents of affected employees.
At this time, no threat group has claimed responsibility for the incident, and there is no indication that ransomware was involved.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
