Full Report
Bug bounty platform HackerOne is notifying hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators. [...]
Analysis Summary
# Incident Report: Supply Chain Compromise via Navia Benefit Solutions
## Executive Summary
HackerOne employees were impacted by a data breach following a successful cyberattack on Navia Benefit Solutions, a third-party benefits administrator. An attacker exploited a Broken Object Level Authorization (BOLA) vulnerability to exfiltrate the PII of 287 HackerOne employees and their dependents. While HackerOne’s internal systems were not breached, the incident highlights personal data risks associated with third-party service providers.
## Incident Details
- **Discovery Date:** January 23, 2026 (by Navia)
- **Incident Date:** December 22, 2025 – January 15, 2026
- **Affected Organization:** Navia Benefit Solutions (Primary); HackerOne (Secondary/Client)
- **Sector:** Human Resources / Benefits Administration
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** December 22, 2025
- **Vector:** Exploitation of Web Application Vulnerability
- **Details:** The attacker exploited a Broken Object Level Authorization (BOLA) flaw in Navia’s environment to gain unauthorized access to data records.
### Lateral Movement
- **Details:** Not explicitly disclosed; the nature of a BOLA vulnerability typically involves direct manipulation of resource IDs to access records belonging to other users or entities without moving laterally through the network via traditional means.
### Data Exfiltration/Impact
- **Date Range:** December 22, 2025 – January 15, 2026
- **Details:** The attacker accessed and exfiltrated sensitive PII belonging to employees of Navia’s clients, including 287 individuals at HackerOne.
### Detection & Response
- **January 23, 2026:** Navia detected suspicious activity in its environment.
- **February 20, 2026:** Navia notified impacted client companies (including HackerOne).
- **March 24, 2026:** HackerOne public disclosure and notification to the Maine Attorney General.
## Attack Methodology
- **Initial Access:** Exploitation of BOLA (Broken Object Level Authorization) vulnerability in a web application.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Exploited authorization flaws to access data beyond the attacker's scope.
- **Defense Evasion:** Unknown; the attacker remained active for nearly a month before detection.
- **Credential Access:** N/A (Direct data access via API/Web exploit).
- **Discovery:** Resource ID enumeration/probing.
- **Lateral Movement:** N/A.
- **Collection:** Automated or manual harvesting of PII records via the vulnerable interface.
- **Exfiltration:** Standard web traffic/API responses.
- **Impact:** Unauthorized disclosure of PII.
## Impact Assessment
- **Financial:** Possible regulatory fines for Navia; costs associated with 12 months of credit monitoring for victims.
- **Data Breach:** Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, and benefits plan dates for 287 HackerOne employees and their dependents.
- **Operational:** Low for HackerOne (no system downtime); medium for Navia (remediation and audit requirements).
- **Reputational:** High for Navia; Moderate for HackerOne (as a security-focused firm, any data leak regarding its employees is sensitive).
## Indicators of Compromise
- **Web Indicators:** Requests involving manipulation of ID parameters in URL/API calls (e.g., changing `user_id=101` to `user_id=102`).
- **Behavioral Indicators:** Unusual volume of requests from a single IP address targeting diverse record IDs; access to records outside of a logged-in user’s scope.
## Response Actions
- **Containment:** Navia addressed the BOLA vulnerability to prevent further unauthorized access.
- **Eradication:** Identification and removal of unauthorized access points.
- **Recovery:** HackerOne and Navia notified affected individuals and provided 12 months of identity protection and credit monitoring services.
## Lessons Learned
- **BOLA Risks:** Broken Object Level Authorization remains a critical vulnerability in web applications handling large amounts of multi-tenant data.
- **Third-Party Risk:** An organization’s security posture is only as strong as its least secure vendor.
- **Detection Latency:** There was a significant gap (one month) between the initial exploit and detection, suggesting a need for better anomaly detection in web traffic.
## Recommendations
- **API Security:** Implement strict authorization checks at the object level for every request/API call.
- **Vendor Risk Management (VRM):** Require third-party administrators to provide proof of regular penetration testing and vulnerability disclosures.
- **Monitoring:** Deploy Web Application Firewalls (WAF) and behavioral analytics to detect rapid enumeration of resource IDs.
- **End-User Training:** Advise employees to update security questions if they rely on static PII (like DOB or Address) that may have been compromised.