Bug bounty platform HackerOne is notifying hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators.

HackerOne manages over 1,950 bug bounty programs and provides vulnerability disclosure, penetration testing, and code security services to high-profile companies like General Motors, Goldman Sachs, Anthropic, GitHub, and Uber, as well as to U.S. government agencies such as the Department of Defense.

Navia is a leading consumer-focused benefits administrator serving over 10,000 employers across the United States.

In a filing with the Office of the Maine Attorney General, HackerOne also revealed that the data breach exposed the sensitive information of 287 employees.

"At this time, we have been informed that a Broken Object Level Authorization (BOLA) vulnerability led to an unknown actor accessing Navia data between December 22, 2025, and January 15, 2026," the company said. "On January 23, 2026, Navia became aware of suspicious activity in their environment. Navia sent letters dated February 20, 2026 to impacted companies."

The exposed information includes a combination of Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, plan enrollment dates, effective dates, and termination dates for each affected employee and their dependents.

HackerOne also encouraged impacted employees to be cautious of suspicious messages, monitor their financial accounts for unusual activity, and take advantage of the 12-month free identity protection and credit monitoring service provided by Navia.

"You may also want to consider changing passwords or password hints/security questions if they involve the personal data listed above," the company added.

When it disclosed the incident earlier this month, Navia underlined that the data breach did not impact affected individuals' claims or financial information.

However, the exposed data is sufficient for threat actors to launch phishing and social engineering attacks against people impacted by the incident.

Although Navia flagged the incident as a data theft attack, no cybercrime group or ransomware operation has taken responsibility for the breach.