Η πλατφόρμα επιβράβευσης σφαλμάτων HackerOne ειδοποιεί εκατοντάδες υπαλλήλους ότι τα δεδομένα τους κλάπηκαν αφού εισβολείς εισέβαλαν στη Navia, έναν από τους διαχειριστές παροχών της στις USA.
Το HackerOne διαχειρίζεται περισσότερα από 1.950 προγράμματα επιβράβευσης σφαλμάτων και παρέχει υπηρεσίες αποκάλυψης ευπάθειας, δοκιμών διείσδυσης και ασφάλειας κώδικα σε εταιρείες υψηλού προφίλ όπως η General Motors, η Goldman Sachs, η anthropic, the GitHub και η Uber, καθώς και σε κυβερνητικές υπηρεσίες των ΗΠΑ όπως το Υπουργείο Άμυνας.
Navia is a leading consumer-focused benefits administrator serving more than 10.000 employers across the United States.
In a archiving με το Γραφείο του Γενικού Εισαγγελέα του Μέιν, η HackerOne αποκάλυψε επίσης ότι η παραβίαση δεδομένων αποκάλυψε τις ευαίσθητες πληροφορίες 287 εργαζομένων.
“Currently, we have been informed that a Broken Object Level Authorization (BOLA) vulnerability led to an unknown actor accessing Navia data between December 22, 2025 and January 15, 2026,” the company said. he said. “On January 23, 2026, Navia was notified of suspicious activity in its environment. Navia sent letters dated February 20, 2026 to affected companies.”
The exposed information includes a combination of Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, program enrollment dates, effective dates, and termination dates for each affected employee and their dependents.
HackerOne also encouraged affected employees to be vigilant with suspicious messages, monitor their financial accounts for unusual activity, and take advantage of the free 12-month identity protection and credit monitoring service provided by Navia.
"You may also want to consider changing passwords or password hints/security questions if they involve the personal data listed above," the company added.
When it disclosed the incident earlier this month, Navia stressed that the data breach did not affect individuals' claims or financial information.
However, the exposed data is sufficient for threat actors to launch phishing and social engineering attacks against individuals affected by the incident.
Although Navia labeled the incident as a data theft attack, no cybercrime group or ransomware operation has claimed responsibility for the breach.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to sandbox and hide in plain sight.
Download our analysis of 1,1 million malicious samples to uncover the top 10 techniques and see if your security stack is blindsided.
VIA: bleedingcomputer.com
