The BPO Backdoor: How “Mr. Raccoon” Swiped 13 Million Adobe Support Tickets

The cybersecurity world is reeling following reports of a massive data breach at Adobe, orchestrated by a threat actor known as Mr. Raccoon. The intrusion, first brought to light by the IntCyberDigest account on X, highlights the critical risks inherent in the modern global supply chain.

By targeting a third-party Business Process Outsourcing (BPO) firm in India, the attacker managed to bypass Adobe’s primary defenses, exfiltrating a staggering volume of sensitive data—including 13 million customer support tickets.

🚨‼️ BREAKING: Adobe has been breached by threat actor Mr. Raccoon, leaking 13 million support tickets with personal data, 15,000 employee records, all HackerOne submissions, internal documents and more.

Mr. Raccoon gained access through an Indian BPO, first deploying a remote… pic.twitter.com/cCH74Fjluk

— International Cyber Digest (@IntCyberDigest) April 2, 2026

The breach was not a result of a direct exploit on Adobe’s infrastructure, but rather a calculated “human-element” attack on a partner. Mr. Raccoon’s entry point was an employee at an Indian BPO service provider.

The attack unfolded in two stages:

1. The attacker delivered a Remote Access Tool (RAT) via a deceptive email. Once executed, Mr. Raccoon gained total control over the employee’s workstation, reportedly even accessing their webcam and private WhatsApp conversations.
2. Armed with the employee’s credentials and environmental context, the attacker launched a targeted phishing attack against the employee’s manager. This successful “upward” phish provided the elevated privileges necessary to access Adobe’s internal support systems.

Once the gates were open, the scope of the theft was limited only by the attacker’s storage. Mr. Raccoon exploited a glaring lack of rate-limiting or bulk-export protections within the support portal.

“They allowed you to export all tickets in one request from an agent,” Mr. Raccoon reportedly stated, highlighting a critical architectural oversight.

The exfiltrated data includes:

• 13 Million Support Tickets: Containing a treasure trove of customer personal data and historical issues.
• 15,000 Employee Records: Exposing internal staff details.
• HackerOne Submissions: Potentially revealing sensitive, previously reported (and perhaps unpatched) security vulnerabilities.
• Internal Documents: Leaking confidential corporate strategy and technical specifications.

While Adobe likely maintains world-class internal security, the “trust” extended to a BPO partner provided a backdoor that rendered those defenses moot.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.