TL;DR An alleged massive data breach has hit Adobe, carried out by a threat actor going by “Mr. Raccoon.” The breach reportedly ran through a third-party Indian BPO firm and may have exposed 13 million support tickets, 15,000 employee records, and bug bounty submissions pulled directly from HackerOne. Adobe hasn’t confirmed anything yet, but the evidence the attacker put out – screenshots, file directories which points to real failures in access control and vendor security. This report breaks down the full attack chain, what was taken, and why it should worry any organization that outsources support work. Adobe Logo The Adobe “Mr. Raccoon” Breach: What Actually Happened Early 2026 has delivered what looks like one of the nastier data exfiltrations in recent memory. A threat actor calling himself “Mr. Raccoon” has claimed he broke into Adobe’s ecosystem in stages and the most unsettling part isn’t the scale of what was stolen. It’s where he got in. He didn’t touch Adobe’s primary data centers. He went through a BPO in India. That distinction matters. It means Adobe’s own perimeter didn’t fail. A contractor’s did. And somehow that was enough. Why a BPO Was the Entry Point BPOs handle sensitive customer data for major corporations while typically running leaner on security budgets, training, and staff retention than the companies that hire them. That makes them attractive targets for initial access brokers – the people who specialize in getting in, then either using or selling that access. Mr. Raccoon’s first move was a targeted phishing email sent to a support agent at the Indian BPO that handled Adobe customer tickets. The agent ran a Remote Access Tool. From that point, Mr. Raccoon had full control of the workstation. What he did next is what separates this from a routine credential theft. He didn’t immediately go for data. He turned on the webcam. He read the employee’s WhatsApp messages. He watched how internal communication worked – tone, phrasing, who talked to whom. He wasn’t just in the machine. He was studying the environment. Possible Attack Pathway Moving Up: The Manager Pivot Once he understood the internal hierarchy, he sent a second phishing attempt but this time from the compromised agent’s account, aimed at the agent’s manager. This is where traditional email security falls down. The message came from a known internal address. The manager had no obvious reason to doubt it. They responded. They handed over credentials that gave Mr. Raccoon admin-level access to Adobe’s core support platform. In many BPO setups, managers carry elevated permissions specifically so they can resolve complex escalations. Once Mr. Raccoon had those credentials, he wasn’t a guest in the system anymore. He was running it. The Export That Should Never Have Been Possible Here’s the part that sticks with me: Mr. Raccoon reportedly told International Cyber Digest that he exported the entire support ticket database “in one request from an agent.” Thirteen million records. One request. There was no rate limiting. No DLP trigger. No alert fired in the SOC when a support agent’s account started behaving like a database administrator pulling an entire system backup. In a properly configured environment, that export either doesn’t happen or it sets off a chain of automated alerts before it finishes. Neither happened here. The data walked out the door without resistance. What Was Taken The alleged dataset covers three separate groups of people, each exposed in different ways. Adobe SharePoint (Source: X) 13 Million Support Tickets Support tickets are actually some of the richest raw material available for social engineering and fraud. They contain names, email addresses, account IDs, and internal technical notes. They also sometimes contain things users shouldn’t have typed in the first place like passwords, card numbers, sensitive details people paste into chat windows despite the warnings. Beyond identity theft, this data is a detailed map for anyone who wants to impersonate Adobe support. 15,000 Employee Records This likely includes home addresses, phone numbers, employee IDs, and potentially payroll data. For the individuals involved, this isn’t an abstract risk. It’s a direct one. HackerOne Bug Bounty Submissions This is the piece that worries security researchers the most. HackerOne is where ethical hackers report vulnerabilities to companies like Adobe through coordinated disclosure. Those submissions include full proof-of-concept documentation and step-by-step instructions for exploiting whatever flaw was found. Adobe’s HackerOne Portal (Source: X) If Mr. Raccoon has all of those submissions, he has a working list of every vulnerability Adobe has faced, including ones that were partially patched, deprioritized, or quietly shelved as edge cases. Any buyer who gets that data has a functional attack guide. The HackerOne Problem Is Different From Everything Else Everything else in this breach is bad in ways that are recoverab...