HackerOne has confirmed that employee personal data was leaked following a security incident at Navia, an external provider of employee benefits. The incident did not occur within HackerOne’s own systems, but at the U.S. partner of which the company is a client.
An official report to the U.S. regulator indicates that attackers gained access to Navia’s systems between December 22, 2025, and January 15, 2026. The breach was discovered on January 23, followed by further analysis, and affected organizations were subsequently notified. It wasn’t until mid-March that affected individuals were informed, reports BleepingComputer.
A total of 287 HackerOne employees were affected by the data breach. While this is a relatively small number, the nature of the data underscores the potential risk. Only one of the affected individuals is located in the U.S. state of Maine, where the report was required to be filed.
The stolen information consists of a combination of identifying and sensitive personal data. This includes names, addresses, phone numbers, and email addresses, as well as dates of birth and U.S. Social Security numbers. In addition, data on program participation and administrative data, such as enrollment and withdrawal dates, were accessed. In some cases, this also includes information about family members.
According to the report, this was an external system breach in which unauthorized individuals exploited a vulnerability in the access control system. This allowed data to be accessed without the required permissions. The perpetrators of the attack are unknown, and no party has claimed responsibility.
Risk of phishing and misuse remains high
Although there are no indications that financial data or claims systems have been compromised, the risk to those affected remains significant. The combination of personal data makes targeted phishing and other forms of social engineering plausible. Attackers can use this information to create credible messages or impersonate trustworthy parties.
HackerOne therefore advises affected employees to be alert to suspicious communications and to closely monitor their accounts and financial data. It is also recommended to change passwords and security questions if they are related to the leaked information.
Navia offers identity protection and credit monitoring through Kroll. Depending on the situation, this service can be utilized for up to two years. In this way, the service provider aims to limit the impact of the incident on those affected.
The incident once again underscores the risks of relying on third parties to handle sensitive data. Even when an organization has its own security in place, vulnerabilities in its suppliers can still lead to data breaches with direct consequences for employees or customers.