Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 04, 2026 · 6 min read

Adobe Got Breached Through a Single Phishing Email—13 Million Support Tickets Stolen

A threat actor called Mr. Raccoon compromised an outsourced support agent, escalated to admin credentials, and exfiltrated Adobe's entire support database in one request.

Dark silhouette at a computer screen showing support ticket data being exfiltrated

13 Million Records, One Request

A threat actor operating under the alias "Mr. Raccoon" claims to have stolen 13 million Adobe customer support tickets, 15,000 employee records including home addresses and phone numbers, and HackerOne bug bounty submissions containing full vulnerability documentation and proof of concept exploits. The attacker provided screenshots and file directory evidence to International Cyber Digest, though Adobe has not publicly confirmed the breach.

The support tickets contained names, email addresses, account IDs, and detailed technical notes from years of customer interactions. The employee records included personal details that go far beyond what most workers expect their employer to store in accessible systems.

How a Phishing Email Became a Full Breach

The attack followed a methodical escalation path that started with a single phishing email:

  1. Initial access: A phishing email targeted a support agent at an Indian business process outsourcing (BPO) firm handling Adobe tickets. The email deployed a remote access tool onto the agent's workstation.
  2. Reconnaissance: The attacker monitored the compromised machine, accessing the webcam and WhatsApp messages to study internal communications and reporting hierarchy.
  3. Privilege escalation: Using the compromised agent's email account, the attacker sent a second phishing email to the agent's manager, obtaining admin level credentials.
  4. Exfiltration: With admin access, the attacker exported the entire support ticket database "in one request" with no rate limiting, no data loss prevention triggers, and no security operations center alerts.

The Contractor Problem

The breach did not exploit a vulnerability in Adobe's primary infrastructure. It targeted the weakest link in a common enterprise arrangement: an outsourced contractor with access to sensitive customer data but without the security controls of the parent company.

This pattern repeats across the industry. The Hims & Hers breach through Zendesk, the Target breach through an HVAC vendor, the SolarWinds supply chain attack: each exploited trust relationships between organizations. When your data sits in a contractor's system, your security is only as strong as their weakest employee.

What the Stolen Data Means for You

If you have ever contacted Adobe support, your email address, name, and the details of your technical issue may now be in the hands of a threat actor. Support tickets often contain information people share freely with customer service but would never post publicly: software license keys, system configurations, screenshots of error messages that reveal file paths and usernames.

The stolen HackerOne bug bounty data poses an additional risk. Those reports contain detailed vulnerability information, including proof of concept code, that was submitted confidentially. If any of those vulnerabilities remain unpatched, the breach just handed attackers a roadmap.

No Zero Days Required

What makes this breach notable is not its sophistication but its simplicity. No zero day exploits were used. No exotic malware was deployed. The entire attack chain relied on phishing, social engineering, and the absence of basic security controls at the contractor level.

The fact that 13 million records could be exported in a single request without triggering any alerts suggests that Adobe's support infrastructure lacked rate limiting on bulk data exports, data loss prevention monitoring on outbound transfers, and segmentation between contractor access and production databases.

How to Protect Yourself

If you use Adobe products, take these steps now:

  1. Change your Adobe password and enable two factor authentication if you have not already
  2. Watch for targeted phishing that references your Adobe support history. Attackers now have context to craft convincing messages
  3. Review what you shared in past support tickets. If you included screenshots with visible credentials or file paths, assume those are compromised
  4. Monitor your email for unusual activity. The stolen data includes email addresses that can be used for credential stuffing and phishing campaigns

A Familiar Pattern

Adobe has been here before. In 2013, the company suffered a massive breach that exposed 153 million user records. That incident led to widespread credential stuffing attacks that persisted for years. This latest breach, if confirmed, follows the same playbook: a large trove of customer data exfiltrated through insufficient access controls.

The lesson for enterprises is clear: your security perimeter includes every contractor, every outsourced support desk, and every third party tool with access to your data. Until companies treat vendor security as seriously as their own, breaches like this will keep happening.