A threat actor operating under the alias “Mr. Raccoon” is claiming to have breached a major Indian Business Process Outsourcing (BPO) firm contracted by Adobe, allegedly exfiltrating 13 million customer support tickets, 15,000 employee records, internal company documents, and — most alarmingly — the entirety of Adobe’s private submissions to its HackerOne bug bounty program. The claim, first surfaced on April 8, 2026, has yet to be officially confirmed or denied by Adobe, but has sent shockwaves through the security community due to the potential severity of the exposed data.
What Was Allegedly Stolen
According to the threat actor’s claims and analysis by multiple cybersecurity researchers who have reviewed samples of the purported data, the breach encompasses an extraordinarily wide range of sensitive material:
- 13 million customer support tickets: These records contain detailed customer communications, product issues, account information, and in many cases attachments that may include screenshots, license keys, and other private data.
- 15,000 employee records: Internal HR data including names, email addresses, and potentially sensitive employment information.
- Internal company documents: Strategic planning documents, internal memos, and operational data from Adobe’s support infrastructure.
- HackerOne bug bounty submissions: Unpublished vulnerability reports submitted by security researchers that have not yet been patched or publicly disclosed — representing a treasure trove for other threat actors.
The Attack Method: No Zero-Days Required
What makes this alleged breach particularly notable is the claimed simplicity of the attack chain. According to Mr. Raccoon’s own account, the intrusion required no exotic malware, no zero-day exploits, and no sophisticated technical capabilities. Instead, the attacker reportedly used a single phishing email to compromise a BPO employee’s workstation, escalated to a manager’s credentials through lateral movement, and then leveraged that access to exfiltrate 13 million records from Adobe’s support ticketing system.
This method — targeting a trusted third-party vendor rather than attacking Adobe directly — is a textbook example of a third-party supply chain attack. The BPO firm had legitimate, privileged access to Adobe’s customer data as part of its contracted support role, meaning the attackers did not need to breach Adobe’s own hardened perimeter at all.
The HackerOne Data: A Secondary Threat Multiplier
Perhaps the most concerning element of the alleged breach is the inclusion of Adobe’s HackerOne bug bounty submissions. HackerOne serves as Adobe’s platform for receiving confidential vulnerability reports from independent security researchers. These submissions detail unpatched flaws in Adobe products — flaws that have been responsibly disclosed but not yet fixed or publicly announced.
If this data is authentic, other threat actors gaining access to it would effectively possess a roadmap of Adobe’s known, unpatched vulnerabilities — allowing them to develop exploits for flaws that the public does not yet know exist. The security community has urged Adobe to treat all currently open HackerOne submissions as potentially compromised and to accelerate patching timelines accordingly.
Adobe’s Response
At the time of publication, Adobe has not released an official statement confirming or denying the breach. The company has not notified affected customers through official channels. Security researchers and media outlets that reached out to Adobe for comment received no response by the time of publication.
The lack of an official statement has been criticized by the cybersecurity community, particularly given the sensitive nature of the allegedly compromised data and the potential downstream risks posed by the exposed HackerOne submissions.
What Affected Users Should Do
While the breach remains unverified at the organizational level, users who have interacted with Adobe customer support should take precautionary measures:
- Change passwords for Adobe accounts, especially if the same password is used elsewhere.
- Enable multi-factor authentication (MFA) on Adobe accounts if not already active.
- Monitor email accounts for phishing attempts that may leverage information contained in the allegedly exposed support tickets.
- Be alert to targeted social engineering calls or messages referencing past Adobe support interactions.
Third-Party Risk: An Accelerating Threat
The alleged Adobe breach is the latest in a long line of major data incidents traceable to third-party vendor access. Security experts have long warned that organizations’ security posture is only as strong as their weakest vendor link. As enterprises increasingly outsource support, development, and operational functions to BPO and managed service providers, the attack surface expands dramatically beyond the organization’s direct control.
Analysts recommend that organizations conduct thorough third-party security assessments, enforce least-privilege access controls for all vendor accounts, implement continuous monitoring of third-party data access, and require vendors to demonstrate equivalent security controls to those applied internally.