A threat actor calling themselves “Mr. Raccoon” claims to have stolen 13 million customer support tickets, 15,000 employee records, and the entire contents of Adobe’s HackerOne bug bounty programme — all by compromising a single employee at an outsourced support firm in India.
Adobe has not confirmed the breach. But malware researchers at vx-underground have reviewed the evidence and consider the claims legitimate, noting that the compromise appears limited to Adobe’s helpdesk system rather than its core infrastructure.
The distinction barely matters to the 13 million people whose support conversations are now in a stranger’s hands.
How It Happened
The attack didn’t start at Adobe. It started at an Indian Business Process Outsourcing (BPO) firm that handles Adobe’s customer support tickets.
Mr. Raccoon sent a phishing email to a support agent at the BPO firm. The agent executed a Remote Access Tool embedded in the message, giving the attacker full control of their workstation — including webcam access and the ability to read private messages on WhatsApp.
But the attacker didn’t rush. They spent time studying the compromised agent’s workplace: communication patterns, reporting hierarchy, internal jargon. Then they used the agent’s account to send a targeted phishing message to the agent’s manager. Because it came from a known internal address, it bypassed the email security filters that would have flagged an external message.
The manager’s response handed over admin-level credentials to Adobe’s core support platform.
No Guardrails on the Way Out
What happened next is the most damning part. According to Mr. Raccoon, the support platform had no rate limiting, no data loss prevention triggers, and no security alerts for bulk exports. The attacker claimed they exported the entire ticket database in a single request.
”They allowed you to export all tickets in one request from an agent,” the threat actor stated.
Thirteen million tickets. One click. No alarm.
What Was Taken
The stolen data falls into three categories, each with different risks:
Customer support tickets — 13 million records containing names, email addresses, account identifiers, and the full text of support conversations. People routinely share sensitive details in support tickets: billing information, technical problems, account credentials they shouldn’t be pasting into chat windows. This data is a phishing goldmine.
Employee records — 15,000 records allegedly containing home addresses, phone numbers, employee IDs, and possible payroll information. If accurate, this puts Adobe employees at risk of identity theft and targeted social engineering.
HackerOne bug bounty submissions — This is the most dangerous component. HackerOne is a platform where security researchers privately report vulnerabilities to companies so they can be fixed before anyone exploits them. The stolen submissions contain full proof-of-concept exploits and step-by-step attack instructions for vulnerabilities that may not yet be patched. Every unpatched flaw in that database is now a potential weapon for anyone who gets their hands on it.
The BPO Blind Spot
This is the second major BPO-related breach to surface in a matter of weeks. Just last month, Crunchyroll confirmed that an outsourcing employee at Telus International was compromised, leading to the exposure of 6.8 million users’ data.
The pattern is identical: a major company outsources support operations to cut costs, a contractor employee gets phished, and the attacker rides that access straight into the client’s internal systems. The BPO firm operates under different security standards, with leaner budgets and less oversight, but its employees hold the same credentials as the company’s own staff.
Adobe has been through this before. In 2013, the company suffered a massive breach that exposed data on 38 million users and leaked Photoshop source code. That incident prompted significant security investments in Adobe’s cloud infrastructure. But vendor relationship security — the weakest link in the chain this time — apparently received less attention.
Why This Matters
When you open a support ticket with Adobe, you’re not just talking to Adobe. You’re talking to a contractor in another country, on a different network, with a different security posture. Your data passes through systems you didn’t choose, maintained by people you’ll never know about, protected by standards you can’t verify.
The support ticket itself becomes a permanent record of your interaction — including whatever personal details you shared while trying to get help. Unlike a database with structured fields, support tickets contain freeform text: the kind of messy, personal, detailed information that makes targeted phishing and social engineering dramatically more effective.
And the HackerOne leak adds a second dimension. The responsible disclosure system — built on the promise that reporting vulnerabilities privately keeps everyone safer — just had its contents stolen and potentially distributed. Security researchers who submitted reports in good faith may now find their work being used to attack the very systems they tried to protect.
What You Should Do
If you’ve ever contacted Adobe support, treat your data as compromised until Adobe confirms otherwise.
- Change your Adobe account password and any accounts using the same credentials
- Enable multi-factor authentication on your Adobe account and email
- Watch for targeted phishing — attackers with your support history know what products you use and what problems you’ve had. A fake “follow-up to your support case” email is a likely tactic
- Don’t click links in emails claiming to be from Adobe — go directly to adobe.com instead
- Monitor your accounts for unusual activity, especially if you shared payment details in a support conversation
The lesson keeps repeating: when a company outsources its operations, it outsources your privacy along with them. You just don’t get any say in the arrangement.