This is an automated archive made by the Lemmit Bot.
The original was posted on /r/netsec by /u/raptorhunter22 on 2026-03-25 13:31:12+00:00.
Breach occurred at Navia Benefit Solutions, a 3rd party, not HackerOne infra.
Around 287 HackerOne employees PII leaked.
Navia delayed breach notifications by weeks. Filed at Maine AG.
Navia was independently breached. Over 10K US employee’s PII exposed.
Reports point to an auth flaw (BOLA-type) enabling access to employee PII (SSNs, DoB, addresses, benefits data).
Exposure window: Dec 2025 to Jan 2026.
You must log in or # to comment.
“TIL that an attack vector that’d be called a ‘BOLA’ in some threat models actually led to the exposure of sensitive info. Still waiting for mainstream adoption of robust access control best practices”