Adobe Analytics Bug Exposed Customer Data to Other Users

A significant data exposure incident recently impacted users of Adobe Analytics, stemming from a software bug that inadvertently shared customer information across different organizational accounts. This breach occurred due to an error introduced during a system performance upgrade, leading to the unintended mixing of data streams between separate clients.

The problem originated on September 17, 2025, precisely at 12:20 UTC, when Adobe implemented a change intended to enhance data collection efficiency. Instead of improving performance, this modification created a flaw causing what Adobe described as “errant values” to appear within Analysis Workspace reports. For nearly a full day, certain analytics services displayed information belonging to other customers.

Adobe’s engineering teams identified the issue and rolled back the problematic update by September 18 at 11:00 UTC. The company confirmed the incident resulted from an internal mistake rather than any malicious cyberattack or external security breach. Services affected included Data Collection, Media Processing, Customer Attributes, and various reporting applications.

According to internal advisories shared with customers, specific data fields were overwritten with values pulled from other clients’ data streams. Adobe estimates this corruption impacted between three and five percent of all collected data during the affected period. The flawed data made its way into Data Feeds, Live Stream, scheduled reports, and several integrated platforms.

The repercussions extended beyond Adobe Analytics itself. Because numerous other Adobe products rely on analytics data, the bug also influenced Customer Journey Analytics, Real-Time CDP, and Adobe Journey Optimizer. Any system or report pulling from these sources during the incident window may have incorporated inaccurate or foreign information.

Adobe has instructed all affected customers to immediately delete or purge any data received between the start and end times of the disruption. This directive applies not only to active systems but also to backups and any downstream environments where the data might have been stored or processed. Removing the compromised information is essential to prevent further retention or accidental use of another organization’s data.

Although Adobe’s policy prohibits customers from collecting personal data through its analytics platform, internal sources indicate that not all clients adhere to this rule. Consequently, the exposed information could have included sensitive details such as email addresses, session identifiers, and on-site search queries from other companies.

One analytics consultant explained that the flaw meant “the web tracking of company A shows information of company B.” Another customer highlighted the serious legal implications, noting potential violations under privacy regulations like the VPPA, CPPA, and GDPR due to the unauthorized data sharing.

Because the ingestion bug wrote external data directly into business intelligence systems, the foreign information became embedded in exports, backups, and other analytical tools. This complicates the cleanup process, as the faulty data is now scattered across multiple locations.

Adobe has not provided additional commentary beyond its public status page, reiterating that its teams are working to cleanse impacted datasets. The company will notify customers once the platform is fully restored and reliable for accurate reporting. In the meantime, users are urged to verify their data integrity and comply with deletion requests to mitigate privacy risks.

(Source: Bleeping Computer)