HackerOne's employee data compromised during Navia data breach

Cyber security company HackerOne, Inc. said the personal and health benefits information of close to 300 employees was compromised during a cyber security incident at Navia Benefit Solutions.

 

Founded in 2012, HackerOne is a cyber security services company that helps businesses and companies engage with a global community of over 600,000 ethical hackers to check the security of their systems and networks and run penetration testing exercises to assess their defences against cyber attacks.

 

The company recently informed the office of the Attorney General of Maine that the personal and healthcare benefits information of as many as 287 employees was compromised during a data security incident at American health and financial benefits provider Navia Benefit Solutions.

 

HackerOne’s announcement comes not long after Navia Benefit Solutions, which provides comprehensive health and financial benefits services to employees of more than 10,000 businesses across the U.S., said that it suffered a significant data breach between December and January that compromised the personal information of over 2.6 million individuals.

 

Navia said unauthorised actors gained access to its systems between December 22, 2025 and January 15, 2026, and exfiltrated large amounts of data, including victims’ names, dates of birth, Social Security numbers, phone numbers, and email addresses.

 
HackerOne said it recently received communication from Navia Benefit Solutions that the hackers exploited a Broken Object Level Authorisation vulnerability to access Navia’s systems in December, but is waiting for further clarity from the benefits provider about the vulnerability that contributed to the data breach.

 

HackerOne, in the meantime, has determined that the data security incident compromised the health and benefits information of 287 employees, including their full names, dates of birth, email addresses, Social Security numbers, phone numbers and health plan details such as the dates of enrollment and termination.

 

"The safe handling of your personal data is core to who we are as an organisation, and HackerOne is treating this as requiring our critical attention," HackerOne said in its letter to affected employees. "We will undertake our own investigation to assess this incident and are actively communicating with Navia to understand more about how and why this incident occurred and identify immediate areas for improvement to ensure the data of our employees and their dependents is protected.

 

"HackerOne will also be evaluating Navia’s privacy and security policies and practices. If we are not satisfied, we will explore other potential options for benefits providers with our broker," it added.

 

Navia previously that after discovering the incident, it notified federal law enforcement about the incident, assessed the security of its systems, determined the number of affected people, and is working to implement additional safeguards and training for its employees. The health and financial benefits provider is also offering complimentary 12 months of credit monitoring services through Kroll to all affected individuals.