Bug bounty platform HackerOne notified hundreds of employees that their personal data was stolen after attackers breached Navia, a U.S. benefits administrator serving over 10,000 employers. The breach, caused by a Broken Object Level Authorization (BOLA) vulnerability that exposed Social Security numbers and other sensitive details for 287 employees and their dependents, increases the risk of phishing and social engineering despite Navia saying claims and financial accounts were not affected. #HackerOne #Navia
Keypoints
- HackerOne reported that attackers accessed employee data after Navia was compromised.
- A Broken Object Level Authorization (BOLA) vulnerability allowed access between December 22, 2025 and January 15, 2026.
- 287 HackerOne employees had sensitive information exposed, including Social Security numbers, names, and dates of birth.
- Navia notified impacted companies on February 20, 2026 and is providing 12 months of identity protection and credit monitoring.
- Exposed records could enable targeted phishing and social engineering against affected individuals even though financial accounts were not impacted.