Employee PII Breach at Navia Exposes 287 HackerOne Staff via BOLA Vulnerability
What Happened — Attackers exploited a Broken Object Level Authorization (BOLA) flaw in Navia, a benefits‑administration platform used by HackerOne, to steal personal data of 287 HackerOne employees and their dependents between Dec 22 2025 and Jan 15 2026. The breach was disclosed in March 2026 after Navia reported suspicious activity.
Why It Matters for TPRM —
- Employee PII (SSNs, DOB, addresses) can be weaponised for credential‑stuffing and social‑engineering attacks against your own workforce and partners.
- A third‑party benefits administrator’s vulnerability directly compromises the security posture of a critical security‑services vendor (HackerOne).
- The incident highlights the need for continuous assessment of third‑party access controls and data‑handling practices.
Who Is Affected — Financial‑services/benefits administration sector (Navia) and security‑services sector (HackerOne).
Recommended Actions — Review contracts with Navia and HackerOne for data‑protection clauses, verify that BOLA remediation has been completed, and mandate multi‑factor authentication and monitoring for any accounts that may have been derived from the exposed data.
Technical Notes — Attack vector: exploitation of a BOLA vulnerability (unauthorised object access) leading to data exfiltration of SSNs, full names, addresses, DOB, email, and employment dates. No ransomware or extortion was reported. Source: BleepingComputer