HackerOne Data Breach Exposes SSNs and Health Details

HackerOne Inc., a San Francisco-based cybersecurity company known for connecting organizations with ethical hackers through bug bounty programs, reported a data breach tied to one of its U.S. benefits administrators, Navia Benefit Solutions Inc.

Navia first discovered the breach on Jan. 23, 2026.

The breach has affected 287 individuals in the United States tied to HackerOne, exposing sensitive employee and dependent information.

The breach was disclosed to the Maine Attorney General on March 23, 2026, with one Maine resident identified as affected. HackerOne began notifying affected consumers by written notice on March 17, 2026.

What happened in the HackerOne data breach

The breach did not occur in HackerOne's own systems. Instead, it originated at Navia Benefit Solutions Inc., a third-party company based in Renton, Washington, that administers employee benefits for HackerOne and other organizations.

According to HackerOne's notification to consumers, a security flaw known as a Broken Object Level Authorization (BOLA) vulnerability in Navia's systems allowed an unknown actor to access data. This type of vulnerability allows unauthorized users to view information they should not have access to.

The unauthorized access took place between Dec. 22, 2025, and Jan. 15, 2026. Navia's notice to affected individuals stated that the investigation determined an unauthorized actor "accessed and acquired" certain information during that period.

On Jan. 23, 2026, Navia became aware of suspicious activity in its environment and launched an investigation to confirm the nature and scope of the incident.

After completing its review, Navia sent letters dated Feb. 20, 2026, to companies whose employee data was involved. After verifying the letter's legitimacy, HackerOne met with Navia on March 13 to understand the scope of the incident and what data was affected.

The types of information exposed included Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, health plan participation status, non-health plan participation status, plan enrollment dates, effective dates and termination dates.

Information belonging to dependents of affected employees was also involved.

HackerOne's response to the breach

According to the notification, HackerOne is still awaiting additional information from Navia about the vulnerability that led to the breach.

HackerOne said it is evaluating Navia's privacy and security policies and practices. If the company is not satisfied with what it finds, it stated it will explore other potential options for benefits providers with its broker.

In its notice, HackerOne said it wanted to reach out to affected individuals as soon as possible so they could take appropriate safeguards, even before Navia sent its own required notifications. HackerOne noted that while Navia has represented there is nothing to suggest the exposed data has been misused, the company is proceeding as if misuse is still a possibility because unauthorized persons may have been able to view the data.

According to HackerOne's notice, possible consequences of the breach include potential misuse or publication of personal data that could result in identity theft, fraud or other financial loss.

Navia is offering affected individuals complimentary credit monitoring services through Kroll, according to both HackerOne's and Navia's notices. Enrollment details and deadlines will be included in Navia's individual notifications to affected consumers.

Affected individuals with questions can contact HackerOne at security@hackerone.com. Navia has also established a dedicated assistance line, with contact details included in its individual notifications.

Steps to take if your information was exposed

• Place a credit freeze or fraud alert with the three major credit bureaus. Contact Equifax (1-888-298-0045), Experian (1-888-397-3742) or TransUnion (1-833-799-5355) to help prevent unauthorized accounts from being opened using a stolen Social Security number.
• Request free credit reports at AnnualCreditReport.com. Review each report carefully for unfamiliar accounts or inquiries that could signal misuse of exposed information.
• Monitor financial accounts and statements closely. Watch for any unusual activity or unauthorized transactions in the weeks and months ahead.
• Be cautious of phishing attempts that reference this breach by name. Scammers may send messages that appear to come from HackerOne or Navia asking for personal information or money.
• Update passwords and security questions that involve exposed personal details. If any passwords or security answers involve dates of birth, addresses or phone numbers, changing them can reduce the risk of unauthorized access.
• File a complaint with the Federal Trade Commission if identity theft is suspected. The FTC's Identity Theft portal at identitytheft.gov (1-877-438-4338) can help affected individuals create a recovery plan.