- HackerOne confirms provide chain breach through Navia advantages supplier
- 287 staff’ delicate knowledge uncovered, together with SSNs, addresses, and well being plan particulars
- HackerOne criticizes Navia’s gradual response; no proof of information misuse but, however 2.7 million individuals affected general
HackerOne has revealed it was the sufferer of a provide chain assault during which it misplaced delicate worker knowledge.
The corporate has filed a brand new report with the Workplace of the Maine Lawyer Common, confirming that 287 of its staff misplaced a mix of: social safety quantity, full title, handle, telephone quantity, date of beginning, e mail handle, well being plan participation (Y/N), non-health plan participation (Y/N), plan enrollment dates, efficient dates, and termination dates.
In a letter despatched to affected people, HackerOne defined in late December 2025 and early January 2026, a menace actor managed to leverage a Damaged Object Degree Authorization (BOLA) vulnerability in Navia, an worker advantages options supplier.
Article continues under
You could like
No claims but
“On January 23, 2026, Navia turned conscious of suspicious exercise of their setting. Navia despatched letters dated February 20, 2026, to impacted firms,” the letter additional reads.
HackerOne mentioned it solely acquired the letter in March 2026, slamming the service supplier for its seemingly gradual response:
“We’re nonetheless awaiting extra details about the vulnerability that led to this incident, and a passable motive for the delay of their notification to us,” HackerOne mentioned. The corporate careworn that it’ll analyze Navia’s safety practices straight and re-evaluate utilizing its companies.
To date, there isn’t any proof to counsel the stolen knowledge is being abused within the wild, HackerOne says. Nevertheless, it nonetheless urges all affected people to watch out of incoming emails and different types of communication, particularly these claiming to originate from both HackerOne, or Navia.
Navia handles advantages for greater than 10,000 US employers. Based on an earlier report by TechRepublic, the Navia breach affected nearly 2.7 million individuals. No menace actor teams have but claimed duty for the assault.
By way of BleepingComputer
The very best antivirus for all budgets
Our prime picks, based mostly on real-world testing and comparisons
Comply with TechRadar on Google Information and add us as a most popular supply to get our professional information, critiques, and opinion in your feeds. Ensure that to click on the Comply with button!
And naturally you can even comply with TechRadar on TikTok for information, critiques, unboxings in video type, and get common updates from us on WhatsApp too.
