What Happened in the HackerOne Data Breach?
The HackerOne data breach did not begin inside HackerOne’s own network. Instead, it originated at Navia Benefit Solutions Inc., a third-party benefits administrator based in Renton, Washington. Navia manages employee benefits for HackerOne and several other organizations. As a result, a security flaw in Navia’s systems ended up exposing HackerOne employee and dependent data.
According to HackerOne’s notification to consumers, the issue stemmed from a Broken Object Level Authorization vulnerability, often called a BOLA flaw. This type of weakness allows an unauthorized user to view information they should not have access to. Because of this flaw, an unknown actor was able to access and acquire sensitive data. The unauthorized access reportedly took place between Dec. 22, 2025, and Jan. 15, 2026.
Navia became aware of suspicious activity in its environment on Jan. 23, 2026. In response, it launched an investigation to determine the scope of the intrusion. After completing its review, Navia sent letters dated Feb. 20, 2026, to companies whose employee data was involved, including HackerOne.
After verifying the letter’s legitimacy, HackerOne met with Navia on March 13, 2026, to better understand what happened and which data was affected. This forensic follow-up allowed HackerOne to confirm the categories of exposed information before notifying individuals. HackerOne then moved to alert affected people directly, even ahead of Navia’s own required notifications.
Who was affected?
The HackerOne data breach affected 287 individuals in the United States. These are people connected to HackerOne through its employee benefits program administered by Navia. Because benefits programs typically extend beyond employees, dependents of affected workers were also swept into the exposure.
The breach was disclosed to the Maine Attorney General on March 23, 2026, with one Maine resident confirmed among those affected. This suggests the impacted population is spread across multiple states, though HackerOne has not publicly broken down the full geographic distribution. Since dependent information was involved, it’s possible that minors tied to affected employees’ benefit plans were also included in the exposure.
What Information Was Potentially Exposed?
The data exposed in this breach is particularly sensitive because it touches both financial identity and health-related details. Navia’s investigation found that an unauthorized actor accessed and acquired a wide range of personal information tied to HackerOne’s benefits program.
- Social Security numbers
- Full names
- Home addresses
- Phone numbers
- Dates of birth
- Email addresses
- Health plan participation status
- Non-health plan participation status
- Plan enrollment dates
- Plan effective dates
- Plan termination dates
Because Social Security numbers were included, affected individuals face a heightened risk of identity theft. Fraudsters can use a stolen SSN combined with a name and date of birth to open new credit accounts, file fraudulent tax returns, or apply for loans in someone else’s name. This risk can persist for years after a breach, which is why ongoing vigilance matters.
In addition, the exposure of health plan participation status raises the possibility of medical identity fraud. Someone with this information could potentially use it to seek medical services or benefits under a false identity. Combined with contact details and dates of birth, this data gives criminals enough context to craft convincing phishing messages or impersonate affected individuals when contacting benefit providers or financial institutions.
What is the company doing?
HackerOne responded by notifying affected individuals through written notice as soon as it confirmed the scope of the incident. Notably, the company chose to reach out before Navia completed its own required notifications, stating it wanted people to be able to take protective steps as quickly as possible. This early notification reflects an effort to prioritize consumer protection over procedural timing.
Beyond the initial notice, HackerOne says it is still awaiting further details from Navia about the vulnerability that caused the breach. Meanwhile, the company is evaluating Navia’s privacy and security policies and practices. If HackerOne isn’t satisfied with what it learns, it has indicated it will explore other benefits provider options with its broker. Navia, for its part, is offering complimentary credit monitoring through Kroll to affected individuals, with enrollment details included in Navia’s direct notifications.
What Should Affected Individuals Do?
Place a Fraud Alert or Credit Freeze
Because Social Security numbers were exposed, affected individuals should strongly consider placing a fraud alert or credit freeze with the three major credit bureaus. Equifax, Experian, and TransUnion all offer this service, and it can prevent new accounts from being opened in your name without your consent.
A credit freeze restricts access to your credit file, making it much harder for identity thieves to open new lines of credit. This step is free and can be lifted temporarily whenever you need to apply for credit yourself. Given the sensitivity of the data involved here, this is one of the most effective safeguards available.
Monitor Your Credit Reports and Financial Accounts
Affected individuals should request free credit reports through AnnualCreditReport.com and review them carefully. Look for unfamiliar accounts, hard inquiries, or other signs that someone may have tried to use your information.
In addition, it’s wise to monitor bank and credit card statements closely in the coming months. Because the exposed data included dates of birth and addresses, criminals could attempt to answer security questions or verify identity with financial institutions. Catching unauthorized activity early can limit the damage significantly.
Take Advantage of Complimentary Credit Monitoring
Navia is offering affected individuals free credit monitoring through Kroll. This service can help detect suspicious activity tied to your Social Security number or financial accounts before it escalates.
Enrollment details and deadlines will be included in Navia’s individual notification letters. Therefore, it’s important to read that notice carefully and enroll promptly, since these offers often come with a limited signup window.
Watch for Phishing Attempts Referencing This Breach
Scammers frequently exploit publicized data breaches by sending messages that appear to come from the affected company. As a result, affected individuals should be cautious of any email, text, or phone call referencing HackerOne or Navia that asks for personal information or payment.
Legitimate notifications will never demand immediate payment or ask you to confirm your full Social Security number over email. If you receive a suspicious message, contact the company directly using verified contact information rather than replying to the message itself.
Update Passwords and Security Questions
Because the exposed data included dates of birth, addresses, and phone numbers, affected individuals should update any passwords or security questions tied to that information. This is especially important for financial and healthcare accounts.
Changing these details reduces the chance that someone could use the stolen information to bypass identity verification steps elsewhere. If you suspect any account has already been compromised, consider filing a complaint with the Federal Trade Commission through identitytheft.gov to create a personalized recovery plan.
More Information
Official Notice from Hackerone
