HackerOne slams supplier for delayed breach notice after staff data exposed

Summary

Almost 300 HackerOne employees are caught up in a data breach, with the bug bounty biz slamming a third-party benefits provider for a weeks-long delay in notification. In a filing with Maine's attorney general, HackerOne claimed the breach stemmed not from its own systems but from Navia Benefit Solutions, a US-based administrator handling employee benefits data. According to a notification letter sent to affected staff, an unknown cyber baddie exploited a Broken Object Level Authorization (BOLA) flaw in Navia's environment, allowing unauthorized access to sensitive data between December 22, 2025, and January 15, 2026. Navia detected "suspicious activity" on January 23 and began investigating, the notice states. HackerOne says it didn't receive formal notification until March after letters dated February 20 were sent but delayed in transit. HackerOne made clear it is less than impressed with that timeline, noting it is still waiting for "a satisfactory reason for the delay in their notification." The wider incident is far bigger than HackerOne alone. Navia said last week that the months-old breach of its systems affected more than 2.6 million people. Navia hasn't shared any further details about the intrusion, and its website was unavailable at the time of writing, though it's unclear whether the two are connected. The exposed data reads like a greatest hits of identity theft fodder. HackerOne employees may have had Social Security Numbers, full names, addresses, phone numbers, dates of birth, and email addresses compromised, along with details about health plan participation and information on dependents. While Navia has claimed there is no evidence of misuse so far, HackerOne is proceeding on the assumption that the data could still be abused. Employees were warned to watch for fraud, phishing attempts, and unusual financial activity, and to consider locking down their credit. The company also signaled it may rethink its supplier relationships. It said it is review...