TL;DR
An alleged massive data breach has hit Adobe, carried out by a threat actor going by “Mr. Raccoon.” The breach reportedly ran through a third-party Indian (Business Process Outsourcing) BPO firm and may have exposed 13 million support tickets, 15,000 employee records, and bug bounty submissions pulled directly from HackerOne. Adobe hasn’t confirmed anything yet, but the evidence the attacker put out – screenshots, file directories which points to real failures in access control and vendor security. This report breaks down the full attack chain, what was taken, and why it should worry any organization that outsources support work.
The Adobe “Mr. Raccoon” Breach: What Actually Happened
Early 2026 has delivered what looks like one of the nastier data exfiltrations in recent memory. A threat actor calling himself “Mr. Raccoon” has claimed he broke into Adobe’s ecosystem in stages and the most unsettling part isn’t the scale of what was stolen. It’s where he got in.
He didn’t touch Adobe’s primary data centers. He went through a BPO in India.
That distinction matters. It means Adobe’s own perimeter didn’t fail. A contractor’s did. And somehow that was enough.
Why a BPO Was the Entry Point
BPOs handle sensitive customer data for major corporations while typically running leaner on security budgets, training, and staff retention than the companies that hire them. That makes them attractive targets for initial access brokers – the people who specialize in getting in, then either using or selling that access.
Mr. Raccoon’s first move was a targeted phishing email sent to a support agent at the Indian BPO that handled Adobe customer tickets. The agent ran a Remote Access Tool. From that point, Mr. Raccoon had full control of the workstation.
What he did next is what separates this from a routine credential theft.
He didn’t immediately go for data. He turned on the webcam. He read the employee’s WhatsApp messages. He watched how internal communication worked – tone, phrasing, who talked to whom. He wasn’t just in the machine. He was studying the environment.
Moving Up: The Manager Pivot
Once he understood the internal hierarchy, he sent a second phishing attempt but this time from the compromised agent’s account, aimed at the agent’s manager.
This is where traditional email security falls down. The message came from a known internal address. The manager had no obvious reason to doubt it. They responded. They handed over credentials that gave Mr. Raccoon admin-level access to Adobe’s core support platform.
In many BPO setups, managers carry elevated permissions specifically so they can resolve complex escalations. Once Mr. Raccoon had those credentials, he wasn’t a guest in the system anymore. He was running it.
The Export That Should Never Have Been Possible
Here’s the part that sticks with me: Mr. Raccoon reportedly told International Cyber Digest that he exported the entire support ticket database “in one request from an agent.”
Thirteen million records. One request.
There was no rate limiting. No DLP trigger. No alert fired in the SOC when a support agent’s account started behaving like a database administrator pulling an entire system backup.
In a properly configured environment, that export either doesn’t happen or it sets off a chain of automated alerts before it finishes. Neither happened here. The data walked out the door without resistance.
What Was Taken
The alleged dataset covers three separate groups of people, each exposed in different ways.
13 Million Support Tickets
Support tickets are actually some of the richest raw material available for social engineering and fraud. They contain names, email addresses, account IDs, and internal technical notes. They also sometimes contain things users shouldn’t have typed in the first place like passwords, card numbers, sensitive details people paste into chat windows despite the warnings. Beyond identity theft, this data is a detailed map for anyone who wants to impersonate Adobe support.
15,000 Employee Records
This likely includes home addresses, phone numbers, employee IDs, and potentially payroll data. For the individuals involved, this isn’t an abstract risk. It’s a direct one.
HackerOne Bug Bounty Submissions
This is the piece that worries security researchers the most. HackerOne is where ethical hackers report vulnerabilities to companies like Adobe through coordinated disclosure. Those submissions include full proof-of-concept documentation and step-by-step instructions for exploiting whatever flaw was found.
If Mr. Raccoon has all of those submissions, he has a working list of every vulnerability Adobe has faced, including ones that were partially patched, deprioritized, or quietly shelved as edge cases. Any buyer who gets that data has a functional attack guide.
The HackerOne Problem Is Different From Everything Else
Everything else in this breach is bad in ways that are recoverable. You change passwords, you monitor for fraud, you notify affected users. That’s painful but manageable.
The HackerOne data is different because it undermines the whole model of responsible disclosure. Researchers report bugs under the assumption that doing so makes things safer so that the company will patch the flaw before anyone malicious finds it. If those reports get exfiltrated and circulated, the researcher’s effort flips from protective to harmful. The disclosure itself becomes the vulnerability.
Any unpatched bugs in that dataset are now effectively public knowledge in the underground. That’s a race Adobe has already lost the head start on.
Adobe’s Silence
Adobe hasn’t confirmed the breach as of this report. That’s not unusual because companies in the middle of incident response typically stay quiet while they’re figuring out what happened, partly to avoid liability and partly because premature statements tend to be wrong in ways that create additional problems.
The International Cyber Digest team claims to have reviewed the files. In practice, that’s often how these things move: from “alleged” to “confirmed” once the data surfaces on BreachForums or starts circulating on Telegram. Whether or not Adobe issues a statement, the data either exists or it doesn’t.
This Isn’t Adobe’s First Time
Adobe was hit in 2013 in a breach that affected 38 million users and included stolen source code from Photoshop. That incident pushed the company toward a serious overhaul – cloud-first architecture, more rigorous secure development practices.
None of that was useless. But it was all aimed at the castle. The servants’ entrance, the vendor relationships, the contractor networks all got less attention. That’s where this one came in.
Why Security Professionals Should Care
What Mr. Raccoon ran here is a fairly clean example of several techniques that don’t get combined often but work well together: initial access through a contractor, lateral movement through social engineering rather than exploits, and data exfiltration using the target system’s own built-in export functionality.
That last part is called “living off the land” – using legitimate tools to do illegitimate things, because it generates fewer alerts and leaves less forensic trace than deploying custom malware. The ticketing system’s export feature wasn’t a vulnerability in the traditional sense. It was a feature. It just didn’t have any guardrails on it.
What Enterprises Should Do Now
If you use a BPO for any customer-facing work, a few things are worth doing regardless of how this story develops.
Treat BPO networks as untrusted. Not as partners, not as extensions of your own network as external entities that require the same access controls you’d apply to anyone outside your perimeter. That means hardware MFA, not just password-plus-SMS.
Put your EDR tools on contractor machines, not just internal ones. If you don’t have visibility into what’s running on a workstation that has access to your data, you don’t have visibility into your own exposure.
Kill bulk export for support agents. Any export above a reasonable threshold, say, 50 records should require sign-off from a second person before it executes. The fact that a single agent account could pull 13 million records isn’t a policy gap. It’s an architectural one.
Run phishing simulations that specifically target the agent-to-manager dynamic. Generic phishing tests don’t catch this. The scenario where a subordinate’s account is compromised and used to target their manager is specific enough that it needs its own drill.
What Individuals Should Do
If you’ve contacted Adobe support in the last few years, treat your data as potentially exposed.
Change your Adobe password if it’s shared with anything else. It should be unique to that account.
Switch to app-based MFA if you’re using SMS. SMS-based verification is better than nothing but weak enough that it’s worth replacing. Google Authenticator, Microsoft Authenticator, or a hardware key are all better options.
Be skeptical of any email that references an open support ticket. The support ticket data in this breach is detailed enough that phishing attempts using it will look specific and plausible. If something looks off, go directly to Adobe.com rather than clicking any link in the email.
FAQs
Is the breach confirmed? Not officially. Adobe hasn’t made a statement. Independent researchers claim to have reviewed samples of the data. That’s meaningful, but it’s not confirmation.
Was my credit card information stolen? Support tickets don’t typically store full card numbers, but they may include billing addresses and partial card data. If you ever typed sensitive information into a chat window – even something you were explicitly told not to, assume it could be in there.
What is a BPO? Business Process Outsourcing – a third-party company contracted to handle specific functions like customer service or technical support on behalf of a larger corporation.
I’m an Adobe employee. What should I do? Follow your internal IT security protocols immediately. Change your work passwords and any personal passwords that overlap with work accounts. Pull your credit report and watch it. Don’t wait for official guidance to start.
Where This Leaves Us
The boundary of a modern corporation isn’t drawn at its own firewall. It extends to every vendor, contractor, and outsourced function that touches its data. The weakest point in that extended perimeter is where breaches happen.
Mr. Raccoon found a weak point. He worked it methodically from a phishing email to a compromised workstation to a manager’s credentials to 13 million records – all of it using no zero-days and no exotic malware. Just patience, observation, and a ticketing platform with no export limits.
Adobe’s response, when it comes, will say a lot about how seriously corporations are now treating supply chain security. Until then, the people whose data may be in those 13 million tickets are waiting on an answer that hasn’t arrived yet.
Disclaimer: This report is based on currently available information from threat actors and independent cybersecurity researchers. Adobe has not officially confirmed these claims.
