Navia Benefit Solutions, an employee benefits administration company, suffered a data breach due to a BOLA (Broken Object Level Authorization) API vulnerability. An unknown threat actor accessed Navia’s systems between December 22, 2025 and January 15, 2026. Navia became aware on January 23, 2026. The breach affected 2,697,540 individuals whose data was held by Navia as a benefits third-party processor. Exposed information included names, dates of birth, Social Security numbers, phone numbers, email addresses, and health plan information. Downstream victims included employees of numerous companies, including 287 HackerOne employees. Notification letters were dated February 20, 2026 but received delayed by some companies.