HackerOne slams supplier for delayed breach notice after staff data exposed
- Reference: 1774358827
- News link: https://www.theregister.co.uk/2026/03/24/hackerone_supplier_breach/
- Source link:
In [1]a filing with Maine's attorney general , HackerOne claimed the breach stemmed not from its own systems but from Navia Benefit Solutions, a US-based administrator handling employee benefits data.
According to a notification letter sent to affected staff, an unknown cyber baddie exploited a Broken Object Level Authorization (BOLA) flaw in Navia's environment, allowing unauthorized access to sensitive data between December 22, 2025, and January 15, 2026.
[2]
Navia detected "suspicious activity" on January 23 and began investigating, the notice states. HackerOne says it didn't receive formal notification until March after letters dated February 20 were sent but delayed in transit. HackerOne made clear it is less than impressed with that timeline, noting it is still waiting for "a satisfactory reason for the delay in their notification."
[3]
[4]
The wider incident is far bigger than HackerOne alone. Navia [5]said last week that the months-old breach of its systems affected more than 2.6 million people. Navia hasn't shared any further details about the intrusion, and its website was unavailable at the time of writing, though it's unclear whether the two are connected.
[6]EU sanctions Iranian cyber front over election meddling, Charlie Hebdo breach
[7]Rogue AI agents can work together to hack systems and steal secrets
[8]HackerOne 'updating' Ts&Cs after bug hunters question if they're training AI
[9]HackerOne 'ghosted' me for months over $8,500 bug bounty, says researcher
The exposed data reads like a greatest hits of identity theft fodder. HackerOne employees may have had Social Security Numbers, full names, addresses, phone numbers, dates of birth, and email addresses compromised, along with details about health plan participation and information on dependents.
While Navia has claimed there is no evidence of misuse so far, HackerOne is proceeding on the assumption that the data could still be abused. Employees were warned to watch for fraud, phishing attempts, and unusual financial activity, and to consider locking down their credit.
The company also signaled it may rethink its supplier relationships. It said it is reviewing Navia's security and privacy practices, and will consider "other potential options for benefits providers" if those don't measure up.
[10]
It's the same pattern seen time and again: a vulnerability in a supplier's system, a lag between detection and disclosure, and downstream victims left scrambling. The difference here is that the victim is HackerOne – a firm that exists to spot exactly this kind of problem. ®
Get our [11]Tech Resources
[1] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/7a57bd2b-9c89-4b3c-8ff9-41f55eea067c.html
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2acLDMVVWcQUPqOjh0yHLEAAAAIc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44acLDMVVWcQUPqOjh0yHLEAAAAIc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33acLDMVVWcQUPqOjh0yHLEAAAAIc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/584caa6c-4397-49c0-89a5-dbc0dbea0948.html
[6] https://www.theregister.com/2026/03/17/eu_iran_cyber_sanctions/
[7] https://www.theregister.com/2026/03/12/rogue_ai_agents_worked_together/
[8] https://www.theregister.com/2026/02/18/hackerone_ai_policy/
[9] https://www.theregister.com/2026/01/07/hackerone_ghosted_researcher/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44acLDMVVWcQUPqOjh0yHLEAAAAIc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
Re: Serfs
Tax benefits and discounts for collectively bargaining for the entirety of the staff presumably but it's certainly not ideal that so much personal information is sent to third parties.
Re: Serfs
Let's look at the "collective bargaining" argument more carefully, because it sounds virtuous on paper but falls apart under scrutiny.
People need healthcare, dental, gym access regardless of whether their employer arranges it. Demand exists independently. So what does the employer-intermediated model actually do? It aggregates that pre-existing demand and routes it through a procurement process where the employer picks the provider. And which providers compete for these contracts? Not the ones thriving on individual reputation and service quality - those don't need a captive corporate channel to acquire customers. The providers competing hardest for bulk employer contracts are overwhelmingly the ones who couldn't win your business on the open market on merit alone. You get a "discounted" gym chain you'd never have chosen yourself, a dental network with six-month wait times and so on.
Every one of these providers is still turning a profit - they're not doing charity. So the "discount" is an illusion. What's actually happening is that a slice of your compensation is being redirected through intermediaries who each take their cut, offer you a constrained and often inferior version of a service you'd have bought yourself, and collect your most sensitive personal data as a condition of participation.
It's wage skimming dressed up as a perk. The company gets a tax advantage, the intermediaries get a captive market, and you get a breach notification letter and two years of credit monitoring. But don't worry - you saved five quid a month on a gym you never wanted.
Re: Serfs
> There's a deeper absurdity buried under the breach mechanics here. Why does a company like HackerOne - or any company - need to hand over SSNs, dates of birth, dependent details, and health plan participation data to a third-party "benefits administrator" in the first place?
All that PII would still be collected and stored for tax purposes, even if benefits weren't bundled and employee compensation paid as all cash.
The root cause is we collect too much PII, we store it poorly, and stolen PII has too much value to crooks.
Cybersecurity standards need to be strengthened. Businesses need to face real liability for breaches -- compounded when they collect too much PII by choice. Victims deserve real compensation (not credit monitoring crap). The public needs to be more judgmental towards companies which fail to protect private information. Avoidable failures should be met with swift and stiff fines, not years and years of lawyers negotiating pointlessly small and quiet settlements.
We also need to make the stolen info less useful. Demand will remain strong as long as crooks can easily monetize it.
Timelines don't add up
>allowing unauthorized access to sensitive data between December 22, 2025, and January 15, 2026.<
>Navia detected "suspicious activity" on January 23 and began investigating<
How did suspicious activity go on after the unauthorized access was no longer allowed and how was that access shut down before noticing suspicious activity?
Re: Timelines don't add up
Because they probably only looked at the logs after a huge spike in outbound traffic, and even then it was most likely after the fact.
Serfs
There's a deeper absurdity buried under the breach mechanics here. Why does a company like HackerOne - or any company - need to hand over SSNs, dates of birth, dependent details, and health plan participation data to a third-party "benefits administrator" in the first place?
Because instead of paying people properly and letting them make their own choices about healthcare, dental, gym memberships, and lunch, we've built this bizarre feudal apparatus where your employer intermediates your relationship with basic services. Your company picks your health plan. Your company decides which gym chain you get a discount at. Your company negotiates what sandwich provider stocks the office fridge. And to do all of this, your most sensitive personal data gets funnelled through a chain of suppliers you've never heard of, operating systems you have no visibility into, protected by security practices you can't audit.
The actual architectural failure is that 2.6 million people's identities were sitting in Navia's systems at all - because we've collectively accepted that compensation comes in the form of a complex benefits package administered by third parties, rather than wages sufficient to let adults arrange their own lives.
Pay people well. Let them pick their own dentist, their own gym, their own lunch. And stop treating the aggregation of employee PII across opaque supplier chains as a normal cost of doing business.