"Adobe's 13M Support Tickets Leak: Why Your Helpdesk History Is the Next Phishing Goldmine"
Available languages
In late April 2026, a threat actor calling themselves Mr. Raccoon posted a sample of what they described as 13 million Adobe support tickets, 15,000 employee records, internal company documents, and the entire archive of Adobe's HackerOne bug bounty submissions. Adobe has not officially confirmed the breach at the time of writing, but malware researchers — including the well-followed group vx-underground — have looked at the leaked sample and called it credible.
The interesting part isn't the volume. It's the path in. According to the attacker's own write-up, there were no zero-days, no exotic malware, and no sophisticated supply-chain implants. The chain was:
- A phishing email landed at an Indian business process outsourcing (BPO) firm that handles Adobe customer support.
- The phish compromised a single agent's workstation.
- From that workstation, the attacker pivoted to a manager's credentials.
- From there, they pulled 13 million tickets out of the helpdesk system over the course of weeks.
If you've ever opened a support ticket with Adobe — about a stuck Creative Cloud renewal, a license transfer, a font installation question, anything — there's a non-trivial chance your name, email, the products you own, and the actual conversation are now in someone else's hands. And the people holding it are very good at turning helpdesk history into convincing phishing.
This post explains exactly what kind of data was in those tickets, why support transcripts are dangerously valuable, and the small set of habits that make you a much harder target before the inevitable follow-on scams arrive.
What Was Likely Exposed
The leaked sample reviewed by independent researchers includes (per reporting from Cybernews, GBHackers, and Cyber Security News):
| Category | In the leak? |
|---|---|
| Customer full name | Yes |
| Email address | Yes |
| Phone number | Often present in ticket metadata |
| Adobe product(s) owned and license type | Yes |
| Conversation transcripts with support agents | Yes — the entire body of the ticket |
| Order / invoice references | Often referenced in tickets |
| Last 4 digits of payment cards / billing context | In some tickets |
| Adobe employee records (~15,000) | Yes — separate dump |
| HackerOne bug bounty submissions | Yes — including unpatched issues |
| Full credit card numbers / passwords | No — not in the helpdesk system to begin with |
Card numbers and account passwords aren't in this dataset, and that's genuinely good news. But understand what is in there: the exact context an attacker would need to impersonate Adobe customer service to you, by name, by product, by issue.
"We don't have your password. We have what you said when you couldn't log in."
That distinction is what makes a leaked support corpus more dangerous than the raw metadata most breaches expose.
Why Helpdesk Tickets Are an Especially Toxic Leak
Most breach roundups treat all stolen data as roughly equivalent — names, emails, phone numbers. Support tickets are a different category. Three properties make them a phisher's dream:
1. They contain narrative, not just identifiers
A ticket isn't a row in a CRM. It's a conversation: "I tried to update Lightroom on my MacBook Pro and got error 200:6. Here's a screenshot. My order number is XXX." The attacker now knows your device, your software, your error message, your tone, and what the agent told you to try. Crafting a follow-up email that reads as a legitimate continuation of that conversation is trivial.
2. They prove the customer relationship exists
A cold phishing email saying "Your Adobe subscription has been suspended" is a numbers game. An email that references the specific case number you opened on March 14, the product you actually own, and the agent name you actually spoke with is not a numbers game — it's targeted, and it converts at far higher rates.
3. They flag unresolved problems
If a ticket was open, half-resolved, or closed with "let us know if it happens again," that's a foothold. "Hi, we're following up on case #4829312 — we found a fix but need to verify your account." The very gap that frustrated you the first time is the lever the attacker pulls on the second.
This is also why the HackerOne bug bounty leak matters: researchers typically file detailed reports with proof-of-concept exploits, internal endpoints, and triage status. If unpatched issues sat in that pipeline, attackers now have a roadmap.
The Scam Playbook to Expect Over the Next Several Months
Independent of whether Adobe ever publicly confirms the breach, history says the follow-on scams will roll out in this sequence:
1. "Re: Your Recent Support Case"
A reply-style email that looks like it's continuing a real conversation, references a real-looking case number, and asks you to "verify your account" or "complete a refund" via a link. Lookalike domains such as adobe-support-help.com or creativecloud-billing.net will host the phishing page.
2. License Reactivation Pretexts
"Your Adobe Creative Cloud license could not be renewed. To avoid losing access to your projects, please update payment details." Because the attacker knows which product you own and which subscription tier you're on, the framing is precise.
3. Phone Calls From "Adobe Support"
Higher-effort attacks use voice. The caller cites your case history back to you and asks for "verification" — sometimes a code from your authenticator app, sometimes a card number "to confirm identity." If they read three real details before asking, the fourth often gets handed over.
4. Long-Tail Credential Stuffing
Even without passwords in the leak, the email-plus-product-owned dataset is gold for credential-stuffing attempts on Adobe and adjacent creative tools (Figma, Behance, Frame.io). Old reused passwords from past breaches are tested against these accounts on the assumption that designers and creatives reuse passwords across creative SaaS.
5. B2B Pivots
The 15,000 employee records and HackerOne data aren't aimed at consumers — they're aimed at enterprises that integrate Adobe products. Expect spear-phishing of IT and procurement teams using internal lingo lifted from real Adobe communications.
What to Do If You've Ever Contacted Adobe Support
Five concrete actions, in order of priority:
- Treat any unsolicited "Adobe" email or call as hostile until proven otherwise. Open Adobe.com directly in your browser and check your account from there. Never click links in unexpected support follow-ups.
- Rotate your Adobe password and enable two-factor authentication. Prefer an authenticator app over SMS. If you reused that password anywhere else, change it there too — that's the credential-stuffing vector.
- Review billing and subscription history in your Adobe account directly. Cancel anything you don't recognize and contact your card issuer about disputed charges.
- Be skeptical of "case follow-up" framings. Legitimate support reopens are rare. If something looks like a continuation of an old ticket, sign in to Adobe and look at the case in your account dashboard — not from the email.
- Flag suspicious messages. Forward phishing attempts to
phishing@adobe.comand to your email provider's abuse address so the lookalike domains get blocked faster.
The Deeper Story: Your Vendor's Vendor Is Your Real Attack Surface
Adobe didn't get hacked. Adobe's outsourced helpdesk got hacked.
That distinction matters because the same pattern shows up over and over in the 2026 breach record. McGraw-Hill was breached through a Salesforce misconfiguration. Vercel was breached through a third-party tool called Context.ai. Kemper Corporation lost data via its Salesforce account. The pattern is consistent: the most sensitive data flows through more hands than the brand on the front of the box.
For consumers, the implication is uncomfortable but useful to internalize: every customer-service interaction is a small data deposit into a system you don't control and can't audit. A vendor you've never heard of, in a country you may not have known the data was being processed in, may be the actual custodian. When that custodian gets phished, you're in the leak — even though your relationship was never with them.
You can't audit your way out of this. What you can do is reduce the amount of long-tail context you leave behind:
- Use disposable or aliased email addresses (Apple's "Hide My Email," Fastmail aliases, SimpleLogin) when opening support tickets, signing up for trials, or registering with vendors you don't fully trust. If the alias leaks, you rotate it.
- Don't volunteer information that isn't asked for. A support agent doesn't need your home address to fix a font installation bug.
- Be careful what you paste into ticket bodies. Logs, screenshots, error messages — yes. Account numbers, partial card data, security questions — no. They live in the helpdesk forever, and you don't control where forever is.
- Treat the email you used for support as a leak risk for the lifetime of the account. Use 2FA, rotate the password regularly, and watch its inbox for impersonation attempts.
A Practical Privacy Hardening Checklist
Use this as a once-a-quarter habit. Most of it takes a single afternoon.
Account hygiene
- Inventory the accounts on your primary email. Most people have hundreds. Close the ones you no longer use.
- Run every account through a password manager with unique, generated passwords. Reuse is the single biggest amplifier of any breach.
- Enable two-factor authentication everywhere it's offered, with an authenticator app rather than SMS.
- Set up haveibeenpwned.com email alerts so you find out about future leaks the day they're known, not the day a scam lands.
Inbox hygiene
- Treat all unsolicited "support" emails as hostile by default. Verify by signing in to the platform directly.
- Hover over links before clicking — lookalike domains rarely survive a careful read.
- Report and delete, don't engage. Replying to phishing confirms a live address.
Network hygiene
- Encrypt your traffic on networks you don't fully trust — public Wi-Fi, hotel networks, conferences, co-working spaces.
- Keep DNS lookups inside the encrypted tunnel so a compromised router can't redirect you to a lookalike Adobe page.
- Turn off Wi-Fi auto-join for unknown networks. Lookalike SSIDs (
Cafe_Free,Conference_Guest) are a cheap and reliable phishing channel.
Damage control
- If you suspect compromise, change passwords first, then 2FA recovery codes, then notification email. That order matters — fixing the password without fixing the recovery email leaves the back door open.
- Watch your statements for small "test" charges in the days after a known breach. Attackers validate cards with $1 charges before running larger fraud.
- Don't delete the phishing emails. Keep them in a folder until you're sure no follow-on activity is happening — they're evidence if you need to dispute a charge.
How Mosaic VPN Fits In
A VPN doesn't stop a vendor like Adobe — or its outsourced helpdesk — from being phished. What it does do is shrink the surface area on every other side of your digital life, especially when the post-breach phishing wave starts arriving.
- AES-256 encryption — Your traffic on home, hotel, airport, and cafe Wi-Fi is encrypted end to end, so anyone else on the same network can't read or hijack it.
- Low-overhead encryption — Minimal performance impact on your connection, so video calls, large Creative Cloud syncs, and 4K streaming stay smooth.
- Kill Switch — If the tunnel drops, all traffic is blocked until it reconnects, so nothing leaks onto whatever network you happen to be on.
- DNS leak protection — Your lookups stay inside the tunnel, so a misconfigured router or hostile captive portal can't redirect you to a lookalike Adobe sign-in page.
- Global server network — Exit servers in dozens of countries let you reach the services you actually use, even when a destination network is filtered, slow, or untrusted.
Think of it as the layer that stays consistent regardless of which vendor you happen to be trusting that week. You can't audit Adobe's BPO subcontractor. You can control whether the network between you and the rest of the internet is yours.
The Bottom Line
The Adobe breach is a clean example of a quietly important shift in how consumer data leaks work in 2026. The attacker didn't break into Adobe. They phished a single contractor, walked sideways into a helpdesk system, and walked out with thirteen million conversations.
Card numbers weren't exposed. Passwords weren't exposed. Context was — your name, your product, your problem, your tone, the agent who replied. That context is the raw material of every credible phishing email you'll receive over the next year that pretends to be Adobe.
You can't undo the leak. You can make sure that when an unusually well-informed "support follow-up" email arrives, you treat it like the hostile pitch it is — verify in the official app, never click the link, and assume the helpdesk you trusted last year is now part of your threat model.
Tagged in