HackerOne slams supplier for delayed breach notice after staff data exposed

Almost 300 HackerOne employees are caught up in a data breach, with the bug bounty biz slamming a third-party benefits provider for a weeks-long delay in notification.

In a filing with Maine's attorney general, HackerOne claimed the breach stemmed not from its own systems but from Navia Benefit Solutions, a US-based administrator handling employee benefits data.

According to a notification letter sent to affected staff, an unknown cyber baddie exploited a Broken Object Level Authorization (BOLA) flaw in Navia's environment, allowing unauthorized access to sensitive data between December 22, 2025, and January 15, 2026.

Navia detected "suspicious activity" on January 23 and began investigating, the notice states. HackerOne says it didn't receive formal notification until March after letters dated February 20 were sent but delayed in transit. HackerOne made clear it is less than impressed with that timeline, noting it is still waiting for "a satisfactory reason ...