HackerOne demands clarity after delayed breach warning from Navia

Published: 24 March 2026
using a smartphone
Image by Shutterstock

HackerOne has been affected by a data breach on its provider, Navia. It is now publicly questioning not just the exposure but also the delay in notification.

The bug bounty platform HackerOne has been affected by a third-party data breach. Navia, the platform’s US benefits administrator, notified the Maine regulator of an attack discovered on January 23rd, 2026.

According to the statement, the Broken Object Level Authorization (BOLA) vulnerability enabled a threat actor to access Navia data between December 22nd, 2025, and January 15th, 2026.

ADVERTISEMENT

HackerOne claims that the notice was late

HackerOne claims that Navia sent letters to impacted companies on February 20th, but the bounty program received the letter only in March. HackerOne says it is still waiting for an explanation for the late notice.

“After verifying the legitimacy of the letter received with Navia, we met with Navia on March 13th to understand what data was impacted and the nature of the security incident,” HackerOne wrote.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

What HackerOne data was stolen?

According to data received from Navia, employee personal data is affected. The stolen data includes:

  • Social security number
  • Full Name
  • Address
  • Phone number
  • Date of Birth
  • Email address
  • Health plan participation
  • Non-health plan participation
  • Plan enrollment dates, effective dates, termination dates
  • The above information for dependents

HackerOne said it is investigating the incident. “HackerOne will also be evaluating Navia’s privacy and security policies and practices. If we are not satisfied, we will explore other potential options for benefits providers with our broker,” the company said in a statement.

ADVERTISEMENT

Navia is providing identity protection services to affected individuals. According to the Maine Attorney General's website, 287 individuals were affected in total.

HackerOne was previously caught in the Salesforce breach spree

In September 2025, HackerOne confirmed it was among the companies affected by the Salesforce data breach conducted by the Scattered LAPSUS$ Hunters gang. Access was obtained through a compromise of the third-party application Drift, which is operated by Salesloft.

According to the company, its security team was first notified of a potential compromise by Salesforce on Friday, August 22nd, 2025.

The massive breach of the sales platform left over 700 major companies impacted, including Google, FedEx, UPS, Toyota, Stellantis, Adidas, Disney, and Home Depot.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked