Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
HackerOne disclosed that a third-party benefits provider, Navia Benefit Solutions, exposed employee data through a Broken Object Level Authorization (BOLA) flaw exploited between December 22, 2025 and January 15, 2026. HackerOne says it did not receive formal notification until March 2026, after letters dated February 20 were apparently delayed in transit. The wider Navia breach affected nearly 2.7 million people across all of its clients, not just HackerOne.
Changelog
| Date | Summary |
|---|---|
| 25 Mar 2026 | Initial publication. |
HackerOne runs the world’s largest bug bounty platform. Its product is, essentially, responsible disclosure at scale. Companies pay it to receive security vulnerability reports quickly, handle them properly, and close the loop with researchers. That’s the whole business model.
So when HackerOne filed with Maine’s attorney general this week noting it is still waiting for “a satisfactory reason for the delay” in a supplier’s breach notification, the irony lands hard.
What Happened
A BOLA vulnerability in Navia Benefit Solutions – a US-based administrator handling HackerOne’s employee benefits – allowed an unknown actor to access sensitive data for 24 days, from December 22, 2025 through January 15, 2026.
BOLA (also catalogued as IDOR in older classifications) is an access control failure at the API layer. The application correctly authenticates the user but fails to verify whether that user has authorisation to access the specific object they’re requesting. In practice: you’re logged in as user A, but by manipulating an object ID in the API request, you can pull data belonging to user B, user C, or anyone else in the system. It’s one of the most consistently exploited API flaws in production systems precisely because it’s easy to introduce and often not caught in standard security testing.
Navia detected suspicious activity on January 23. It started investigating. Letters dated February 20 were dispatched, but HackerOne says it didn’t receive formal notification until March. Almost 300 HackerOne employees are caught up in this. The exposed data includes Social Security Numbers, full names, addresses, phone numbers, dates of birth, email addresses, health plan participation details, and information on dependents.
That’s a complete identity theft starter pack. Navia has said there is no evidence of misuse so far. HackerOne is proceeding on the assumption the data can and may still be abused, advising staff to watch for fraud and consider credit freezes.
The Disclosure Gap
Between detecting suspicious activity (January 23) and HackerOne receiving formal notification (March) sits roughly six weeks. The letters were dated February 20 – itself nearly four weeks after detection – and then allegedly lost in transit.
For most companies, that delay would be unfortunate. For HackerOne, it reads as a case study from their own training materials. The company has built its reputation on the premise that fast, clear disclosure is a professional obligation. They now find themselves on the receiving end of the exact failure mode they exist to prevent.
HackerOne says it is reviewing Navia’s security and privacy practices and is considering switching providers if those reviews don’t satisfy them.
The Actual Lesson: Third-Party Risk Doesn’t Care About Your Security Posture
HackerOne’s own systems were not breached. Their engineers didn’t ship vulnerable code. Their security team didn’t miss an alert. None of it mattered, because Navia had a BOLA flaw and HackerOne’s employee data sat in Navia’s environment.
This is the structural problem with third-party risk that procurement checklists don’t solve. You can run a mature security programme internally – regular pentests, red team exercises, robust access controls, the works – and still have your employees’ SSNs and health records exposed because a benefits administrator or payroll processor or HR platform you’ve contracted with has an API that doesn’t check object-level authorisation.
The Navia breach isn’t just a HackerOne problem. Navia’s total breach affected nearly 2.7 million people. Every organisation that handed employee benefits administration to Navia is in the same position, regardless of their own security maturity. The attack surface is wherever your data lives, not just where your engineers write code.
For engineering and security teams: the question worth asking isn’t “what’s our security posture?” It’s “what’s our suppliers’ security posture, and how would we know if it failed?” Vendor security questionnaires are a start. Contractual notification obligations are necessary. But the Navia timeline – 24 days of unauthorised access, six weeks before notification reached the affected party – shows how much runway an attacker gets even after detection, before you have any visibility.
HackerOne will likely tighten its supplier requirements. Every organisation with employee data in third-party HR or benefits platforms should be asking the same questions, and not waiting for their own breach filing to prompt it.