CP
cyberpings
BreachesHIGH

Data Breach - HackerOne Criticizes Supplier's Delay

REThe Register Security
HackerOneNavia Benefit Solutionsdata breachemployee dataBOLA vulnerability
🎯

Basically, HackerOne is upset because their employees' data was exposed and they weren't told in time.

Quick Summary

HackerOne is upset with Navia for delaying a breach notice affecting nearly 300 employees. Sensitive data was exposed, raising serious concerns about identity theft. The incident highlights the risks of relying on third-party suppliers.

What Happened

HackerOne recently faced a significant data breach affecting nearly 300 employees due to a vulnerability in a third-party benefits provider, Navia Benefit Solutions. The breach occurred between December 22, 2025, and January 15, 2026, when an unknown attacker exploited a Broken Object Level Authorization (BOLA) flaw in Navia's system. The situation escalated when HackerOne learned of the breach weeks later, raising serious concerns about the notification timeline.

Navia detected suspicious activity on January 23, but HackerOne did not receive formal notification until March, after letters dated February 20 were delayed in transit. This delay has left HackerOne frustrated, as they are still waiting for a satisfactory explanation from Navia about the notification lag.

Who's Affected

The breach has impacted nearly 300 employees at HackerOne, exposing a wealth of sensitive personal information. This includes Social Security Numbers, full names, addresses, phone numbers, dates of birth, and email addresses, along with health plan participation details and dependent information. While Navia claims there is no evidence of misuse so far, the potential for identity theft remains a serious concern.

The wider impact of this breach is even more alarming, as Navia reported that over 2.6 million individuals may have been affected. This incident highlights the vulnerabilities that can exist within third-party systems and the cascading effects that can occur when a supplier fails to secure its environment adequately.

What Data Was Exposed

The exposed data represents a treasure trove for identity thieves. HackerOne employees are at risk of having their Social Security Numbers and personal details compromised, which could lead to various forms of fraud. The types of data exposed can be used for identity theft, financial scams, and phishing attempts.

HackerOne has advised its employees to remain vigilant and monitor for any signs of fraud or unusual financial activity. They are also encouraged to consider locking down their credit to prevent unauthorized access. The company is taking this breach seriously, emphasizing the need for robust security measures from their suppliers moving forward.

What You Should Do

In light of this breach, it's crucial for individuals affected to take immediate action. Here are some recommended steps:

  • Monitor your financial accounts for any unusual activity.
  • Consider placing a fraud alert on your credit report to prevent new accounts from being opened in your name.
  • Lock or freeze your credit if you suspect your information has been compromised.
  • Stay alert for phishing emails that may attempt to exploit this situation further.

HackerOne is also reviewing its relationship with Navia and assessing their security practices. They may explore other options for benefits providers if Navia's security measures do not meet their standards. This incident serves as a stark reminder of the importance of timely breach notifications and the need for stringent security protocols among third-party vendors.

🔒 Pro insight: This breach underscores the critical need for timely incident response and robust security protocols among third-party vendors.

Original article from

The Register Security

Read Full Article

Share

Related Pings

HIGHBreaches

Data Breach - HackerOne Discloses Employee Data Theft

HackerOne has revealed a data breach affecting hundreds of employees due to a hack on Navia. Sensitive personal information was stolen, raising security concerns. Affected individuals are urged to monitor their accounts and utilize identity protection services.

BleepingComputer·
HIGHBreaches

Dutch Finance Ministry - Investigates Cyber Breach Impact

A cyber breach has hit the Dutch Ministry of Finance, affecting internal systems. While some employee operations are disrupted, key services remain unaffected. Investigators are working to determine the extent of the breach and any exposed data.

The Record·
HIGHBreaches

Infinite Campus Data Breach - ShinyHunters Claims Theft

Infinite Campus is warning of a data breach after ShinyHunters claimed to have stolen sensitive information. This incident affects numerous K-12 districts across the U.S. and raises concerns about data security in education. The company is taking steps to secure its systems and inform affected parties.

BleepingComputer·
HIGHBreaches

Crunchyroll Data Breach - Customer Service Data Stolen

Crunchyroll has confirmed a data breach involving customer service ticket data. Hackers accessed information from 6.8 million users. This raises serious privacy concerns for users. Stay vigilant and protect your information.

The Record·
HIGHBreaches

AstraZeneca Hack - Lapsus$ Claims Data Breach

What Happened The notorious Lapsus$ extortion group has made headlines by claiming they hacked into AstraZeneca, a major player in the biopharmaceutical industry. They boast of stealing approximately 3GB of sensitive data from the company. This data includes a variety of internal resources, such as code repositories, credentials, and employee information. The hackers shared their claims on an underground

SecurityWeek·
HIGHBreaches

Aqua Security Breach - 44 Repositories Defaced by Attackers

Aqua Security faced a major breach as 44 repositories were defaced. Developers using their tools are at risk due to exposed internal code and credentials. Immediate action is needed to secure systems affected by this supply chain attack.

Security Affairs·