Adobe Alerts Customers of Data Leak Due to Analytics Bug
Adobe has informed its Analytics users of a significant issue that led to customer tracking data being inadvertently shared between organizations. This data exposure occurred due to an ingestion bug that emerged on September 17, 2025, at 12:20 UTC. The flaw, introduced during a performance optimization change, affected the data collection process within Adobe Analytics, resulting in erroneous values appearing in various reports.
According to Adobe’s status page, the bug disrupted services globally, impacting key functionalities such as Data Collection, Media Processing, Customer Attributes, and reporting applications. Adobe’s engineering teams have acknowledged the problem and are actively working to cleanse the affected datasets. The company confirmed that the disruption was not linked to any malicious activity or cybersecurity threat.
The status update emphasized that approximately 3–5% of the data collected during this period was corrupted. A private advisory shared with BleepingComputer revealed that specific fields within some data were overwritten with values from other customers’ data streams. The advisory strongly recommended that affected customers delete any impacted data received between September 17, 12:20 UTC, and September 18, 2025, 11:00 UTC.
The advisory stated, “All impacted Adobe Analytics customers who use Data Feeds or Live Stream should immediately delete or purge any data received during this timeframe, as it may contain specific field information from other Adobe customers.” This action is crucial to prevent further retention or use of data that may have been mistakenly exposed.
Numerous products that rely on Adobe Analytics have also been affected, including Customer Journey Analytics, Real-Time CDP, and Adobe Journey Optimizer. As these tools integrate data from Adobe Analytics, the implications of the bug extend beyond just the Analytics platform.
An Analytics consultant highlighted the gravity of the situation, noting that the bug could lead to sensitive data, such as email addresses and session hashes, being mixed between different companies. Another customer expressed concern over the potential regulatory implications, citing possible violations under the Video Privacy Protection Act (VPPA), California Consumer Privacy Act (CPPA), and General Data Protection Regulation (GDPR).
These issues arise particularly because the ingestion bug led to other customers’ data being written directly into downstream business intelligence systems. Consequently, this data could become embedded in backups, exports, and other systems that leverage Adobe’s platform.
Despite inquiries from BleepingComputer regarding further clarifications on the incident, Adobe directed requests back to its public status page and did not provide additional details.
As cleanup efforts continue, Adobe has committed to notifying customers once the platform is deemed safe for valid reporting. The company reiterates its policy against collecting personal data through its Analytics services, although adherence to this policy by all customers remains a concern.
