Navia Breach Exposes HackerOne Employee PII Due to BOLA-Style Access Flaw

A breach at Navia Benefit Solutions, a third-party vendor, exposed the personally identifiable information (PII) of approximately 287 HackerOne employees. The incident involved an authentication flaw (BOLA-style) that allowed unauthorized access to sensitive data, including Social Security numbers, dates of birth, addresses, and benefits information. The exposure window spanned from December 2025 to January 2026, and Navia delayed breach notifications by weeks. The breach also impacted over 10,000 U.S. employees beyond HackerOne.