Adobe's BPO Backdoor: How 'Mr. Raccoon' Stole 13M Support Tickets — and What Saudi Financial Institutions Must Learn About Vendor Risk

Adobe did not get hacked directly. A contractor did — and that was enough. In what security researchers are calling one of the most instructive supply chain breaches of 2026, a threat actor known as "Mr. Raccoon" deployed a Remote Access Tool (RAT) on a workstation belonging to an Indian Business Process Outsourcing (BPO) firm contracted by Adobe for customer support. The result: 13 million support tickets, 15,000 employee records, internal OneDrive documents, and — most dangerously — unpublished HackerOne bug bounty submissions are now allegedly in criminal hands.

The Attack Vector: Your Vendor's Inbox Is Your Attack Surface

The intrusion did not begin with a sophisticated zero-day or a nation-state toolkit. According to malware researchers at vx-underground, who reviewed the evidence and consider the claimed compromise legitimate, the initial foothold was a malicious email delivered to a BPO employee in India. The email deployed a commodity RAT that gave the attacker persistent, silent access to the worker's machine — a machine that had authorized access to Adobe's internal customer support ticketing system.

From that single compromised endpoint, "Mr. Raccoon" navigated laterally into what appears to have been Adobe's customer experience infrastructure, harvesting 13 million support tickets containing customer names, email addresses, contact histories, and authentication tokens. The attacker also accessed what appears to be an Adobe Internal OneDrive environment, pulling 15,000 employee records and internal operational documents. As of publication, Adobe has not issued an official statement confirming or denying the breach — a silence that itself compounds reputational risk.

The HackerOne Problem: Unpublished CVEs as Currency

Among the most alarming elements of the alleged exfiltration is the inclusion of data from Adobe's HackerOne bug bounty program. Bug bounty platforms work on a principle of responsible disclosure: security researchers report vulnerabilities privately, the vendor patches them, and only then are the details published. The data allegedly stolen by Mr. Raccoon includes submissions that have not yet been patched or disclosed — meaning the attacker may now hold a private inventory of unmitigated Adobe product vulnerabilities.

This transforms a data breach into a potential zero-day marketplace. Any organization running Adobe Acrobat, Adobe Experience Manager, Adobe Creative Cloud, or Adobe Commerce in their environment should treat this incident as a precursor to targeted exploitation. Threat actors with access to unpublished CVEs typically monetize them through private exploit sales on forums like Exploit.in or direct deployment against high-value targets — a category that explicitly includes banks and financial institutions.

Impact on Saudi Financial Institutions: Third-Party Risk Is Regulatory Risk

Saudi financial institutions regulated by SAMA operate under the Cyber Security Framework (SAMA CSCC), which dedicates Domain 7 specifically to Third-Party Cybersecurity. The framework mandates that member organizations assess, contractually bind, and continuously monitor all third parties with access to their systems, data, or network environments. The Adobe-BPO incident is an almost textbook illustration of what happens when this domain is treated as a checkbox rather than an operational discipline.

Under the PDPL (Personal Data Protection Law), Saudi organizations that engage data processors — including offshore BPO firms handling customer support, back-office operations, or analytics — remain fully liable for the security of that data. If a Saudi bank's outsourced contact center were compromised in the same manner as Adobe's BPO partner, PDPL Article 29 would hold the data controller accountable regardless of where the breach originated. The National Data Management Office (NDMO) has made clear that outsourcing data processing does not outsource liability. Additionally, under NCA ECC Control 3-5 (Supply Chain Security), organizations are required to enforce cybersecurity requirements throughout their entire supply chain — a control that many institutions still implement inconsistently for lower-tier vendors.

Recommendations: What CISOs Must Do This Week

1. Audit active third-party access immediately. Generate a complete inventory of every vendor, BPO firm, contractor, and managed service provider (MSP) that has any form of authenticated access to your systems. Prioritize vendors with access to customer data, HR records, or internal communication platforms. Tools like CyberArk, BeyondTrust, or Delinea can accelerate privileged access discovery in hybrid environments.
2. Enforce endpoint security on contractor devices. If your BPO or outsourcing partners connect to your environment from unmanaged endpoints, you are operating blind. Require EDR deployment (CrowdStrike Falcon, SentinelOne, or Microsoft Defender for Endpoint) on all contractor machines as a contractual condition — and verify it with periodic audits, not just attestations.
3. Implement zero-trust network segmentation for vendor access. BPO employees should access only the specific applications they need, via time-limited, just-in-time privileged access. A customer support agent should not have broad network access to internal document storage. Enforce least-privilege using ZTNA solutions (Zscaler Private Access, Palo Alto Prisma Access) rather than VPN tunnels that grant excessive lateral movement capability.
4. Review HackerOne and bug bounty exposure windows. If your organization participates in any bug bounty program (HackerOne, Bugcrowd, Intigriti), treat your unresolved submission backlog as a sensitive asset. Implement strict access controls on who can view open reports, rotate API keys immediately, and accelerate remediation of high-severity findings that may now be at elevated risk of disclosure.
5. Require SOC 2 Type II or SAMA-equivalent third-party audits. For any BPO or outsourcing firm processing data covered under PDPL or SAMA CSCC, contractually require annual third-party security audits and mandate the right to conduct your own penetration tests or security assessments on their infrastructure. This is not a luxury — it is a regulatory expectation under SAMA CSCC Domain 7.3.
6. Activate threat intelligence monitoring for leaked Adobe credentials. If your employees or partners use Adobe products with corporate email addresses, query breach intelligence platforms (Have I Been Pwned, Recorded Future, Flare) for exposure of those credentials. Enforce MFA reset and credential rotation for any accounts that appear in the alleged dataset.

Conclusion

The Adobe BPO breach is not primarily a story about Adobe. It is a story about the invisible attack surface that every organization accumulates through its vendor ecosystem. The attacker did not need to defeat Adobe's perimeter — they only needed to find a single weakly secured endpoint inside a subcontracted support firm thousands of kilometers away. For Saudi financial institutions, where customer trust is both a regulatory mandate and a competitive differentiator, this incident should serve as a forcing function: third-party risk management must move from periodic questionnaire-based compliance to continuous, technical, and contractually enforced oversight.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Third-Party Cyber Risk Assessment — we will map your vendor exposure against SAMA CSCC Domain 7 requirements and deliver a prioritized remediation roadmap within two weeks.