[agents/model-providers] [xai-auth] bootstrap config fallback: no config-backed key found

title: "Intel Brief: Adobe — Mr. Raccoon BPO Supply Chain Attack" date: 2026-04-04 slug: adobe-mr-raccoon-13m-support-tickets

Intel Brief: Adobe — Mr. Raccoon BPO Supply Chain Attack

On April 2, 2026, threat actor Mr. Raccoon publicly claimed responsibility for a major breach of Adobe, exposing approximately 13 million customer support tickets, 15,000 employee records, all HackerOne bug bounty submissions, and internal corporate documents. The attack bypassed Adobe's direct defenses by targeting a third-party Business Process Outsourcing (BPO) firm in India that provided support services to Adobe. The breach represents a sophisticated supply chain attack exploiting the trust relationship between Adobe and its BPO service provider, demonstrating how critical infrastructure vulnerabilities exist not in primary targets but in trusted third-party service providers. The attacker's ability to exploit a single BPO employee's credentials to access Adobe's entire support ticket database and sensitive internal systems highlights systemic failures in access controls, vendor security management, and data export protection mechanisms.

What Happened

Threat actor Mr. Raccoon successfully compromised an Indian Business Process Outsourcing (BPO) firm providing customer support services to Adobe. Using the compromised BPO employee's credentials, the attacker gained unauthorized access to Adobe's internal support systems and exfiltrated massive volumes of sensitive data.

Confirmed Facts:

• Threat actor Mr. Raccoon claimed responsibility for the breach
• Attack targeted a third-party BPO service provider in India, not Adobe directly
• Attack occurred in early April 2026 (publicly disclosed April 2)
• Adobe's internal support systems were compromised
• Approximately 13 million customer support tickets were exfiltrated
• 15,000 employee records were stolen
• All HackerOne bug bounty submissions were accessed and leaked
• Internal corporate documents were exfiltrated
• The attack exploited lack of rate-limiting and bulk-export protections

Attack Timeline:

1. Initial Compromise (date not disclosed): Mr. Raccoon delivered a Remote Access Tool (RAT) via deceptive email to a BPO employee.

2. Workstation Control (date not disclosed): RAT execution provided attacker with complete control over the employee's workstation, including webcam access and private communications (WhatsApp).

3. Lateral Movement (date not disclosed): Attacker used compromised employee credentials to launch targeted phishing against the employee's manager, obtaining elevated privileges.

4. Adobe System Access (date not disclosed): With elevated credentials, attacker accessed Adobe's internal support portal.

5. Data Exfiltration (date not disclosed): Attacker exploited absence of rate-limiting to export all support tickets in bulk requests.

6. Public Disclosure (April 2, 2026): Mr. Raccoon publicly claimed responsibility via X/Twitter.

What Was Taken

Confirmed Data Exposure:

• 13 million customer support tickets containing personal customer data
• 15,000 employee records and internal staff information
• Complete HackerOne bug bounty submission database
• Internal corporate documents and strategic information

Sensitivity Assessment: Critical. Exposed data includes:

• Customer personal information from support tickets (names, contact details, account information)
• Customer technical issues and product usage patterns
• Adobe employee names, titles, contact information, and internal details
• Previously reported security vulnerabilities via HackerOne (potentially unpatched)
• Internal technical specifications and corporate strategy
• Confidential business communications and planning documents

Strategic Impact: The exposure of this data enables:

• Identity theft and social engineering targeting 13 million Adobe customers
• Competitive intelligence regarding Adobe's technical vulnerabilities
• Targeting of Adobe employees for credential theft and social engineering
• Exploitation of unpatched vulnerabilities reported to HackerOne
• Compromise of Adobe's security research and bug bounty coordination

Why It Matters

This breach represents a critical failure of supply chain security practices and demonstrates how trusted third-party relationships create exponential security risks for major enterprises.

Strategic Significance:

1. Supply Chain Attack Sophistication: The attack bypassed Adobe's direct defenses by exploiting the trust relationship with a third-party BPO provider—a common pattern in sophisticated breaches of major enterprises.

2. Third-Party Vendor Risk: Adobe's reliance on an Indian BPO for customer support created a critical security dependency. The compromise of one BPO employee granted access to Adobe's entire support infrastructure.

3. Human-Element Attack: The attack exploited social engineering and credential compromise rather than technical exploits, demonstrating the persistent vulnerability of human-based security measures.

4. Architectural Failure: Adobe's support portal lacked basic security controls including rate-limiting and bulk-export protections, allowing unrestricted data exfiltration.

5. HackerOne Vulnerability Exposure: The leak of HackerOne submissions may expose previously reported (and potentially unpatched) vulnerabilities, creating risk that other threat actors exploit disclosed security gaps.

6. Exponential Data Exposure: Adobe's support ticket system aggregated data from millions of customers. A single system compromise exposed customer information across Adobe's entire user base.

The Attack Technique

Confirmed Attack Chain:

1. Initial Compromise: Mr. Raccoon delivered a Remote Access Tool (RAT) via deceptive email targeting a BPO employee.

2. Remote Access Establishment: Upon execution, the RAT provided complete workstation control, including:

3. Full system access
4. Webcam access
5. Access to private communications (WhatsApp)

6. Environmental context and system information

7. Credential Harvesting: Attacker obtained the compromised employee's credentials and access context.

8. Targeted Phishing: Using the employee's context, attacker launched targeted phishing attack against the employee's manager, requesting elevated access or administrative credentials.

9. Manager Credential Compromise: Successful phish provided attacker with elevated credentials and manager-level access permissions.

10. Adobe Support Portal Access: Elevated credentials enabled access to Adobe's internal customer support systems.

11. Bulk Data Exfiltration: Attacker exploited absence of rate-limiting to export all support tickets in single bulk requests, as stated by Mr. Raccoon: "They allowed you to export all tickets in one request from an agent."

Not Disclosed: The specific vulnerability or configuration error enabling bulk ticket export was not disclosed in available reporting.

What Organizations Should Do

For Adobe & Enterprise Software Companies:

1. Immediate Incident Response & Forensic Analysis — Conduct complete forensic investigation of compromised BPO systems and Adobe's support infrastructure; determine scope of unauthorized access; assess whether additional systems remain compromised.

2. Third-Party Vendor Security Audit — Immediately audit all third-party service providers with access to customer data or internal systems; conduct security assessments of BPO and outsourcing relationships; implement mandatory security certifications (SOC 2 Type II).

3. Support Portal Access Control Overhaul — Implement multi-factor authentication for all support agent access; restrict bulk data export with rate-limiting and approval workflows; implement immutable audit logging for all data access and exports.

4. Customer Notification & Data Protection — Notify all customers whose data appeared in support tickets; provide credit monitoring and identity theft protection; assess GDPR and data protection law obligations.

5. HackerOne Coordination & Vulnerability Assessment — Contact HackerOne to assess which reported vulnerabilities may have been disclosed; prioritize patching of any unpatched vulnerabilities; coordinate with security researchers regarding disclosure.

6. Supply Chain Risk Management Framework — Implement zero-trust security model for third-party vendor access; require encryption of data at rest and in transit for all third-party systems; establish vendor-specific incident response plans and notification requirements.

For Third-Party Service Providers & BPO Firms:

• Implement mandatory security awareness training for all employees with access to customer data
• Deploy endpoint detection and response (EDR) to identify RAT deployment and unusual access patterns
• Implement email security controls to prevent RAT delivery via email
• Establish isolated network segmentation for systems with access to customer data
• Deploy multi-factor authentication for all access to customer systems

For Customers of Adobe:

• Monitor your Adobe support account for unauthorized activity
• Review your support ticket history for sensitive information exposure
• Monitor for phishing and social engineering targeting your account
• Be alert to credential compromise attempts using information from support tickets

For Security Researchers & HackerOne Community:

• Assess whether your submitted vulnerabilities were exposed in the leak
• Prepare for potential exploitation by other threat actors
• Coordinate with Adobe on patching timelines

Sources: The BPO Backdoor: How "Mr. Raccoon" Swiped 13 Million Adobe Support Tickets