Adobe has not confirmed it was breached. Adobe has also not denied it.
In the absence of an official statement, what exists is a claim from a threat actor who calls themselves Mr. Raccoon: 13 million customer support tickets, 15,000 employee records, the complete archive of HackerOne bug bounty submissions submitted to Adobeβs vulnerability disclosure program, and a range of internal company documents β all, allegedly, extracted through a route that bypassed Adobeβs own infrastructure entirely.
The entry point, according to Mr. Raccoonβs account to International Cyber Digest, was not Adobe. It was a Business Process Outsourcing firm in India that Adobe had contracted to handle customer support operations. The BPOβs employees had legitimate, authorised access to Adobeβs support ticketing platform. Mr. Raccoon compromised one of them, then escalated.
Whether every element of this claim is accurate is unverified. The breach has been reported as βplausibleβ by cybersecurity researchers who reviewed supporting evidence Mr. Raccoon provided. Adobeβs silence is not confirmation. But it is a data point.
How the Attack Allegedly Unfolded
The methodology Mr. Raccoon described is not sophisticated in a technical sense. It is sophisticated in a human sense β and it exploits a structural vulnerability that exists inside most large enterprises.
Stage one: a BPO employee received a malicious email. The email delivered a Remote Access Trojan. The RAT gave the attacker persistent access to that employeeβs machine, including access to the support ticketing platform the employee used as part of their daily work.
Stage two: the attacker identified the employeeβs manager and conducted a targeted phishing campaign against that manager. The manager, operating in the same BPO environment with the same security baseline, also fell for the attack. The manager account provided broader access permissions.
Stage three: Mr. Raccoon discovered β and this is the element that cybersecurity researchers found most significant β that Adobeβs support ticketing platform contained a misconfiguration that allowed an agent-level account to export all tickets in a single request. βThey allowed you to export all tickets in one request from an agent,β Mr. Raccoon told International Cyber Digest.
That is not a sophisticated zero-day. That is an access control misconfiguration. An agent-level account, obtained through a compromised BPO employee, could pull the entire ticket database. Not a single record at a time. All of them. Thirteen million.
What Is Actually in 13 Million Support Tickets
Support ticket data is not typically the most glamorous dataset in a breach. It does not contain credit card numbers or authentication credentials in the direct sense. But the content of 13 million customer support tickets for one of the worldβs largest software platforms is genuinely consequential.
Support tickets contain names, email addresses, account identifiers, and the specific technical problems users reported. They contain partial system information β operating system details, version numbers, licence keys referenced in troubleshooting conversations. They contain the language customers use when they are confused or frustrated, which is information that skilled social engineers use to craft convincing impersonation attempts.
They also contain, in many cases, sensitive context. A support ticket about an enterprise deployment may include details about how a corporate customer has configured their Adobe environment. A ticket about account recovery may include identity verification exchanges. At scale, 13 million tickets represent a detailed map of Adobeβs customer base, their problems, their configurations, and their contact information.
The 15,000 employee records add another layer. Internal employee data can be used to target Adobe staff directly β social engineering attempts that leverage real names, real job titles, and real internal context to appear credible.
The HackerOne Archive Is a Separate Category of Risk
The most alarming element of Mr. Raccoonβs claimed haul is the HackerOne archive.
HackerOne is a platform through which security researchers submit vulnerability reports to companies under responsible disclosure programmes. Adobe runs a bug bounty programme through HackerOne that rewards researchers for identifying and reporting security vulnerabilities before they can be exploited by malicious actors.
Those submissions, by definition, contain detailed descriptions of unpatched or recently-patched vulnerabilities in Adobeβs products. A vulnerability disclosure submission typically includes proof-of-concept code, exploitation steps, affected versions, and technical analysis of the weakness. That information is sensitive while the vulnerability is unpatched, and it retains some value afterward as a historical record of security gaps.
If Mr. Raccoon has obtained the complete HackerOne submission archive β including any reports of vulnerabilities that have not yet been patched β the breach creates a timeline pressure problem for Adobe. Vulnerabilities described in those submissions, if not yet resolved, are now potentially known to a malicious actor who has demonstrated both the motivation and capability to exploit what they find.
Adobe has not commented on whether any open HackerOne reports are among the allegedly stolen data.
The BPO Risk Problem That Enterprise Security Has Not Solved
The attack path Mr. Raccoon described β compromising a BPO contractor to reach a primary vendorβs platform β is increasingly documented and insufficiently defended against.
Business Process Outsourcing is a structural feature of enterprise operations. Large software companies contract BPO firms to handle tier-one customer support because it is cost-effective, scales with demand, and allows 24-hour coverage across time zones. The BPO employees handle real customer data, using real access credentials, on platforms that are integrated into the primary companyβs systems.
The security implications of this arrangement are widely understood in theory and routinely underweighted in practice. The BPO firmβs security baseline is typically lower than the primary vendorβs, because the BPO firm is operating on tighter margins and with a different risk profile. The BPO employeesβ machines are often less rigorously controlled β managed through the BPO firmβs IT policies, not the primary vendorβs security standards. The credentials those employees use to access the primary vendorβs platform may not be protected by the same MFA requirements the primary vendor applies to its own staff.
Mr. Raccoonβs account describes an attack that required one malicious email, one RAT installation, one targeted phishing escalation, and the discovery of an access control misconfiguration. The BPOβs security posture made the first three steps viable. Adobeβs platform configuration made the fourth step catastrophically productive.
We have covered this dynamic repeatedly. The supply chain security analysis we published in 2023 identified BPO firms and managed service providers as the highest-risk category of third-party access, because they combine broad platform access with lower security maturity. The Scattered Spider prosecutions document a group that used exactly this kind of third-party access vector to breach hundreds of organisations. The pattern is consistent.
Access Control Misconfiguration as an Amplifier
The alleged misconfiguration in Adobeβs support ticketing platform β allowing a single agent account to export the entire ticket database in one request β deserves specific attention.
Access control misconfigurations of this type are common because support platforms are often configured for operational convenience. Support agents need to be able to search and retrieve tickets quickly. Export functionality is useful for reporting, escalation, and handoff. The default configuration of many enterprise support platforms grants export capabilities to agent-level accounts because that is what makes operational sense for the people configuring the system.
The security implication β that a compromised agent account becomes a single-point-of-failure for the entire ticket database β is not front-of-mind when the system is being configured. It becomes front-of-mind when a breach occurs.
The remediation is straightforward: limit bulk export capabilities to administrative accounts, require separate approval workflows for large data exports, and monitor for export events that are anomalous relative to normal agent behaviour. An agent who processes twenty tickets per day and then initiates an export of thirteen million records is not a pattern that should pass without automated detection.
Whether Adobe had monitoring in place that could have detected this export β and whether it did β has not been disclosed.
What Enterprises With Outsourced Support Operations Must Do Now
The Adobe alleged breach is a direct case study for any enterprise that uses BPO firms or managed service providers with access to customer-facing platforms. The specific attack is not novel. The structural vulnerability it exploited is widespread.
Treat BPO access as a high-risk credential category. BPO employees accessing your customer support platform have the same data access as your internal support agents, but typically operate with less security oversight. Their credentials should be subject to the same MFA requirements, session monitoring, and access controls as your own staff β not lower requirements because they are a contractor.
Audit access control configurations on support platforms. Specifically, audit what agent-level accounts can export, in what volumes, and with what approval requirements. The misconfiguration Mr. Raccoon allegedly exploited β bulk export available to agent accounts β is the kind of configuration decision that is made early in platform setup and never revisited.
Review the security standards in BPO contracts. If your vendor agreements do not specify minimum security controls for BPO employees accessing your platforms β device management standards, MFA requirements, phishing awareness training, incident reporting obligations β negotiate those requirements into your next renewal. The operational risk sits with you.
Monitor for anomalous bulk operations. Exports, downloads, and bulk queries that are inconsistent with normal agent behaviour should trigger automated alerts. The volume of data described in this breach β thirteen million records β cannot be exfiltrated without generating detectable anomalies in access logs.
Re-evaluate what HackerOne submissions your internal teams have access to, and through what systems. If vulnerability disclosure programme data is accessible through the same platforms your support agents use, that is a misconfiguration that needs to be isolated.
Adobeβs Response, or the Absence of It
Adobe has issued no public statement confirming or denying the breach claim. That silence is commercially understandable and legally cautious. It is not, from a security standpoint, adequate.
If 13 million support tickets were accessed by an unauthorised actor, the customers whose data is in those tickets have a reasonable expectation of being informed. If HackerOne submissions containing unpatched vulnerability descriptions were accessed, the researchers who submitted those reports in good faith, and the customers whose products contain those vulnerabilities, have a reasonable expectation of an expedited response.
Adobeβs regulatory obligations β under GDPR for European customers, under CCPA for California residents, under sector-specific frameworks depending on customer profile β may require formal breach notification regardless of the companyβs internal assessment of whether the breach is confirmed.
The companyβs silence is a holding position, not a resolution.
Threat actor Mr. Raccoon claimed responsibility for an Adobe data breach affecting 13 million support tickets, 15,000 employee records, and HackerOne submissions. The breach entry point was allegedly an Indian BPO firm contracted by Adobe. Adobe has not confirmed or denied the claim. The breach remains unverified as of publication.
