Third-Party-Risk

• HackerOne Employee Data Exposed via BOLA Flaw in Benefits Provider Navia March 25, 2026

  A BOLA vulnerability in Navia Benefit Solutions exposed data on almost 300 HackerOne employees over 24 days. HackerOne is publicly criticising Navia's slow disclosure -- an irony worth sitting with, given that responsible disclosure is HackerOne's entire reason for existing.

• Crunchyroll Breached via BPO Partner: 100GB Allegedly Stolen, Still No Disclosure March 23, 2026

  A threat actor claims to have exfiltrated 100GB of customer data from Crunchyroll after compromising a Telus BPO employee on March 12, 2026. Eleven days later, Crunchyroll has made no public disclosure -- raising serious questions about GDPR compliance and third-party vendor risk.