HackerOne Leak Exposes 2.7M
A HackerOne incident exposed employee data via a broken-object-level-auth (BOLA) flaw in Navia Benefit Solutions’ API, impacting roughly 2.7 million people — a stark API-security failure. The breach underscores how third-party HR and benefits vendors can rapidly widen an enterprise attack surface. (x.com)
Navia’s formal notice to the Maine Attorney General states the incident affected exactly 2,697,540 individuals and that written notification to impacted people began the week of March 18, 2026. (maine.gov) Navia’s filings put the unauthorized access window between December 22, 2025 and January 15, 2026 and record that Navia detected suspicious activity on January 23, 2026. (databreach.io) HackerOne’s disclosure identifies 287 employees whose personal information was exposed and shows HackerOne began sending written notices to those staff on March 17, 2026. (securityweek.com) The incident notice and multiple reports list the specific data elements accessed as Social Security numbers, dates of birth, names, phone numbers, email addresses and health‑plan participation (FSA/HSA/COBRA) records. (databreach.io) Navia says it provides services to more than 10,000 employers and over one million participants, meaning the vendor’s backend role centralized sensitive benefit-account data across a broad client base. (prnewswire.com) Navia’s filing with regulators confirms it began substitute notifications on March 13, 2026 and will offer affected individuals credit monitoring through Kroll for the period described in the Maine submission (12–24 months). (classactionu.org)
