Data Breaches

Bug Bounty Platform HackerOne Hit by Supply Chain Breach in Navia Hack

March 25, 2026 / 3 Min Read

Bug bounty platform HackerOne is facing an uncomfortable irony: the company that helps organisations find security flaws has been caught in a supply chain breach that exposed employee data for weeks before anyone knew it had happened. HackerOne disclosed on March 23, 2026 that 287 employee records were stolen after attackers exploited a vulnerability at Navia Benefit Solutions, its US benefits administrator.

The attack stretched from December 22, 2025 to January 15, 2026, yet HackerOne did not receive formal notification until March. Navia blamed the delay on completing its forensic investigation, but The Register reports HackerOne is openly questioning the timeline and “demanding a satisfactory explanation” from its supplier.

A Single API Flaw Exposed 2.7 Million Records

The root cause was a Broken Object Level Authorization (BOLA) vulnerability in Navia’s API. According to Cybersecurity News, this flaw allowed attackers unauthorised read-only access to internal systems without deploying ransomware or altering data, which kept the intrusion hidden for weeks. The vulnerability ultimately exposed personal data belonging to 2.7 million individuals across Navia’s 10,000 corporate clients.

No ransomware group has claimed responsibility for the attack, and HIPAA Journal confirms Navia has not disclosed whether a ransom was demanded. The stolen data included Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, and health plan details — enough to fuel targeted identity theft campaigns even without payment card data.

HackerOne’s criticism of the disclosure timeline is justified. The company discovered it was affected only after receiving Navia’s February 20, 2026 notification letter, nearly six weeks after Navia had detected the breach. For a firm whose business depends on rapid vulnerability disclosure, that lag represents exactly the kind of supplier risk that boards struggle to control.

Second Major Breach in Eight Months

This incident follows another supply chain compromise at HackerOne. Cybernews reports that in September 2025, HackerOne confirmed it was among the companies affected by a Salesforce data breach conducted by the Scattered LAPSUS$ Hunters gang, which compromised over 700 major organisations including Google, FedEx, and Disney.

Two supply chain breaches in eight months raises questions about vendor risk management practices at a company that exists to identify security weaknesses. HackerOne has announced it is reviewing Navia’s security practices and may switch providers if those practices prove inadequate.

What Companies Should Do

This breach demonstrates why third-party risk assessments must include notification timelines, not just security controls. Contract language should specify maximum disclosure windows, with penalties for delays that leave downstream customers exposed without their knowledge.

For HackerOne employees affected by the breach, the company has provided 12 months of free identity monitoring through Kroll. Anyone using the same password on multiple services should change those credentials immediately, as the stolen data provides enough detail for convincing phishing campaigns.

SecurityWeek notes the broader lesson: even firms specialising in security cannot eliminate supply chain risk entirely, but they can demand transparency when breaches occur. HackerOne’s public criticism of Navia’s delayed disclosure may force other benefits providers to reconsider their own incident response timelines.