Threat Actor Claims Adobe Support Breach via Third-Party BPO
A threat actor using the alias "Mr. Raccoon" has allegedly breached Adobe support systems through a third-party Indian BPO contractor and claims to have stolen a large cache of sensitive data. According to unverified reports and social media posts, the actor first compromised a contractor employee with a malicious email delivering a remote access trojan, then expanded access by phishing the employee’s manager. The attacker says the intrusion exposed more than 13 million support ticket records, roughly 15,000 employee records, internal documents, Adobe’s Microsoft SharePoint environment, and submissions from Adobe’s HackerOne bug bounty program.
The reports further allege the actor abused overly permissive ticket export functionality that allowed bulk extraction of support data in a single request, raising concerns about phishing, identity theft, and exposure of unpublished vulnerability disclosures. The incident, if confirmed, would represent a significant third-party supply chain compromise affecting Adobe’s support operations. Adobe had not publicly confirmed or denied the claims at the time the reports were published.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Google links UNC6783 to Raccoon and BPO-targeting support ticket theft
Google Threat Intelligence Group reported that UNC6783 is targeting business process outsourcing providers to steal corporate Zendesk support tickets and access downstream victims using phishing, helpdesk manipulation, fake Okta pages, and remote access malware. GTIG assessed UNC6783 may be linked to the Raccoon persona associated with attacks on multiple BPOs, including the unconfirmed Adobe-related claim.
Google says UNC6783 extorted several dozen companies after BPO intrusions
Google Threat Intelligence Group reported that UNC6783, potentially linked to the Raccoon persona, targeted several dozen high-value companies by exploiting BPOs, helpdesks, and support workflows. After stealing data through phishing, spoofed Okta pages, device enrollment abuse, and occasional remote access malware, the actor sent Proton Mail ransom notes as part of data-theft extortion operations.
Researchers assess alleged Adobe breach may be limited to helpdesk systems
Researchers from vx-underground said the alleged Adobe breach appeared plausible but may have been confined to the helpdesk environment rather than Adobe's full corporate network. The reporting also cited analyst suspicion that initial access may have involved a remote access trojan delivered by malicious email.
Adobe had not confirmed or denied the alleged breach
At the time the claims were reported, Adobe had not publicly confirmed or denied the alleged incident. Coverage emphasized that the breach details remained unverified pending an official response.
Threat actor 'Mr. Raccoon' claims breach of Adobe via third-party BPO
Unverified reports said a threat actor calling himself 'Mr. Raccoon' claimed to have compromised Adobe support operations through an Indian BPO contractor. The alleged haul included 13 million support tickets, about 15,000 employee records, access to Adobe SharePoint and HackerOne data, and internal documents.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Actor tied to Raccoon targets ‘several dozen’ companies by exploiting BPOs and helpdesks | news | SC Media
scworld.com
Open source'Several dozen' orgs targeted by a new extortion crew • The Register
go.theregister.com
Open sourceNascent extortion campaign underpinned by social engineering | brief | SC Media
scworld.com
Open sourceGoogle: New UNC6783 hackers steal corporate Zendesk support tickets
bleepingcomputer.com
Open sourceTracking the Raccoon: UNC6783 Targeting Dozens of Enterprises - Austin Larsen
austinlarsen.me
Open sourceAlleged Adobe helpdesk system breach reported | brief | SC Media
scworld.com
Open sourceAdobe Breach - Threat Actor Allegedly Claims Leak of 13 Million Support Tickets and Employee Records
cybersecuritynews.com
Open sourceA threat actor who goes by the name "Mr. Raccoon" has claimed to hack Adobe support via 3rd party Indian BPO firm : r/netsec
reddit.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Claims Cisco Breach Exposed Salesforce Records and Cloud Data
ShinyHunters has claimed responsibility for breaching Cisco and stealing more than **3 million Salesforce records** along with internal corporate data, **GitHub repositories**, and contents from **AWS S3 buckets**, then posted a **"FINAL WARNING"** on its leak site threatening to publish the data after April 3. Reports said the alleged haul may include information tied to Cisco customers, employees, and personnel from U.S. and foreign government agencies, while screenshots shared by the group purportedly showed access to Cisco-linked AWS infrastructure and multiple connected cloud accounts. The intrusion was linked in reporting to three alleged access paths involving **Salesforce CRM**, **Salesforce Aura/Experience Cloud**, and AWS environments, and to activity tracked as **`UNC6040`** and **`UNC6395`**. Threat intelligence cited in the coverage said the attackers have used **vishing** to trick employees into approving malicious Salesforce OAuth applications, then abused stolen tokens to bypass MFA and move deeper into cloud environments; recommended defenses included auditing connected OAuth apps, revoking suspicious tokens, tightening API access controls, and monitoring for unauthorized Salesforce Data Loader activity. Cisco had not publicly addressed the March 2026 extortion claim at the time of reporting.
May 2, 2026
Be Prime breach claims expose client data and surveillance system access
Mexican IT and cybersecurity provider **Be Prime** disclosed a cyberattack after a threat actor using the alias **`dylanmarly`** posted alleged proof of compromise on a cybercrime forum. The attacker claimed to have accessed Be Prime administrative accounts, **Cisco Meraki Vision** surveillance systems, Meraki API keys, and thousands of network devices, and to have leaked **12.6 GB** of data linked to Be Prime and some of its clients. Public reporting said the intrusion may have involved administrator accounts without multifactor authentication, though Be Prime did not confirm those specific allegations. Be Prime said it activated containment, mitigation, investigation, and remediation measures with support from **Cisco Talos**, and stated that it had found no evidence so far of disruption to its own operations or those of customers. At the same time, the company warned it could pursue legal action against parties spreading what it described as false or out-of-context claims about the incident, a response that drew criticism from researchers and journalists who argued that threatening reporters and whistleblowers could intensify scrutiny of the breach and its potential impact on client data and video surveillance exposure.
Apr 21, 2026
IntelBroker Claims Apple Source Code Exposure Involving Internal SSO and Atlassian Plugins
Threat actor **IntelBroker** claimed to have breached Apple and posted code on BreachForums tied to three internal tools: `AppleConnect-SSO`, `Apple-HWE-Confluence-Advanced`, and `AppleMacroPlugin`. Reporting said the exposed material appeared related to Apple’s internal authentication and workflow environment, including integrations for Atlassian Jira and Confluence, raising concern that the leak could reveal sensitive implementation details useful for follow-on attacks. Apple had not confirmed a breach at the time of reporting, and major outlets had not independently verified the claim. Independent analysis cited in coverage said the leak did **not** appear to contain the full source code for the named internal tools, but rather proprietary plugins and configuration data used to connect Apple authentication systems to internal collaboration platforms. That assessment said the exposure could still create meaningful enterprise security risk by disclosing internal architecture and access-related details, while indicating that Apple customer products and services were not affected. The claim emerged shortly after IntelBroker also alleged a breach of AMD, and later reporting noted Cisco was also claimed as a victim by the same actor.
May 25, 2026