What happened

A threat actor identified as "Mr. Raccoon" claimed to have accessed Adobe's internal support infrastructure after a phishing email was opened on a device belonging to a contractor at an Indian business process outsourcing (BPO) vendor. The attacker delivered a remote access tool via the phishing email, then used it to move from the contractor's account into a manager's account, progressively expanding access.

The claimed exposure included 13 million support tickets, 15,000 employee records, HackerOne vulnerability submissions (unpublished security reports), and internal technical documents. Adobe had not officially confirmed the full scope at time of publication.

Why contractor devices are a significant risk

Contractors and third-party vendors frequently have access to internal systems — support platforms, ticketing systems, development tools — but their devices are often outside the organisation's direct security controls. A contractor's personal or employer-issued device may not have the same endpoint protections, update schedules, or monitoring as a fully managed corporate device.

Key fact: You do not need to breach Adobe directly to breach Adobe. Breaching a contractor with the right access achieves the same result — and is often significantly easier.

What this means for you

  • Be cautious about what access third-party tools and vendors are granted to internal systems
  • Treat phishing emails with the same suspicion regardless of which device you are using
  • If you work with external contractors who have system access, ensure IT is aware and access is scoped appropriately
  • Report any suspicious emails before opening attachments or clicking links