CP
cyberpings
BreachesHIGH

Data Breach - HackerOne Discloses Employee Data Theft

BCBleepingComputer
HackerOneNaviadata breachemployee dataBOLA vulnerability
🎯

Basically, hackers stole personal data from employees of HackerOne through a vulnerability in Navia's system.

Quick Summary

HackerOne has revealed a data breach affecting hundreds of employees due to a hack on Navia. Sensitive personal information was stolen, raising security concerns. Affected individuals are urged to monitor their accounts and utilize identity protection services.

What Happened

HackerOne, a prominent bug bounty platform, has disclosed a significant data breach affecting its employees. The breach occurred after attackers exploited a Broken Object Level Authorization (BOLA) vulnerability in Navia, a U.S. benefits administrator. Between December 22, 2025, and January 15, 2026, unauthorized access to sensitive employee data was gained. Navia became aware of the suspicious activity on January 23, 2026, and subsequently notified affected companies on February 20, 2026.

The breach has impacted 287 employees of HackerOne, raising alarms about the security of personal data in the digital age. HackerOne manages a vast number of bug bounty programs for high-profile companies and government agencies, making this incident particularly concerning.

Who's Affected

The breach has directly affected hundreds of employees at HackerOne, whose personal information was compromised. This includes not just the employees but also their dependents, as the stolen data encompasses a wide range of sensitive information. The affected individuals were notified about the breach and are now at risk of potential phishing and social engineering attacks.

Navia serves over 10,000 employers across the United States, which means the impact of this breach could extend beyond just HackerOne. The incident highlights the vulnerabilities present in third-party service providers, emphasizing the need for robust security measures.

What Data Was Exposed

The exposed data includes critical personal information such as:

  • Social Security numbers
  • Full names
  • Addresses
  • Phone numbers
  • Dates of birth
  • Email addresses
  • Plan enrollment dates
  • Effective and termination dates for employment benefits

Although Navia has stated that the breach did not affect financial claims or sensitive financial information, the data stolen is still sufficient for attackers to conduct targeted phishing campaigns. This raises serious concerns about the security of personal data and the potential repercussions for those affected.

What You Should Do

HackerOne has advised impacted employees to take several precautionary measures. They should:

  • Monitor their financial accounts for unusual activity
  • Be cautious of suspicious messages that may attempt to exploit the stolen data
  • Utilize the 12-month free identity protection and credit monitoring service provided by Navia
  • Consider changing passwords or security questions related to the exposed personal data

As the investigation continues, it is crucial for those affected to remain vigilant. The breach serves as a stark reminder of the importance of cybersecurity, especially when dealing with sensitive personal information. Organizations must prioritize securing their systems and ensuring that third-party vendors also adhere to stringent security protocols.

🔒 Pro insight: This breach underscores the risks associated with third-party vendors; organizations must enhance their vetting and monitoring processes.

Original article from

BleepingComputer · Sergiu Gatlan

Read Full Article

Share

Related Pings

HIGHBreaches

Dutch Finance Ministry - Investigates Cyber Breach Impact

A cyber breach has hit the Dutch Ministry of Finance, affecting internal systems. While some employee operations are disrupted, key services remain unaffected. Investigators are working to determine the extent of the breach and any exposed data.

The Record·
HIGHBreaches

Infinite Campus Data Breach - ShinyHunters Claims Theft

Infinite Campus is warning of a data breach after ShinyHunters claimed to have stolen sensitive information. This incident affects numerous K-12 districts across the U.S. and raises concerns about data security in education. The company is taking steps to secure its systems and inform affected parties.

BleepingComputer·
HIGHBreaches

Crunchyroll Data Breach - Customer Service Data Stolen

Crunchyroll has confirmed a data breach involving customer service ticket data. Hackers accessed information from 6.8 million users. This raises serious privacy concerns for users. Stay vigilant and protect your information.

The Record·
HIGHBreaches

AstraZeneca Hack - Lapsus$ Claims Data Breach

What Happened The notorious Lapsus$ extortion group has made headlines by claiming they hacked into AstraZeneca, a major player in the biopharmaceutical industry. They boast of stealing approximately 3GB of sensitive data from the company. This data includes a variety of internal resources, such as code repositories, credentials, and employee information. The hackers shared their claims on an underground

SecurityWeek·
HIGHBreaches

Data Breach - HackerOne Criticizes Supplier's Delay

HackerOne is upset with Navia for delaying a breach notice affecting nearly 300 employees. Sensitive data was exposed, raising serious concerns about identity theft. The incident highlights the risks of relying on third-party suppliers.

The Register Security·
HIGHBreaches

Aqua Security Breach - 44 Repositories Defaced by Attackers

Aqua Security faced a major breach as 44 repositories were defaced. Developers using their tools are at risk due to exposed internal code and credentials. Immediate action is needed to secure systems affected by this supply chain attack.

Security Affairs·