Adobe’s Product Security Team Accidentally Posted Its Private PGP Encryption Key to Its Blog

The preceding few weeks have been a nightmare for data point rupture , so good news : Here ’s another easy preventable security job . Adobe ’s Product Security Incident Response Team circumstantially posted the private PGP encryption Francis Scott Key — necessary to decrypt encode substance transfer to them using their public PGP headstone — associated with their[email protected]email account this week , Ars Technica reported .

The mistake was first discover on Friday good afternoon by security researcher Juho Nurminen , who posted it to Twitter with the caption “ Oh shit Adobe . ”

Oh diddlyshit Adobepic.twitter.com/7rDL3LWVVz

Argentina’s President Javier Milei (left) and Robert F. Kennedy Jr., holding a chainsaw in a photo posted to Kennedy’s X account on May 27. 2025.

— Juho Nurminen ( @jupenur)September 22 , 2017

PGP , which stands for Pretty Good Privacy , is a method acting for sending encrypted messages with secretive to government - level security . PGP usersreceive two key : a public PGP key tied to an email address or username , which encrypt incoming messages , and a private cay which should be bed only to the recipient used to decrypt said messages .

Just know the private PGP key would not in and of itself permit a malicious user to breach Adobe ’s associated email story , which would have its own layers of security department . But asthe Register take down , the escape of the samara could make other problem for Adobe , since the electronic mail address was used to describe vital security flaw with their products :

William Duplessie

Armed with the private key , an attacker could spoof PGP - signed messages as come from Adobe . to boot , someone ( coughing , cough the NSA ) with the ability to stop e-mail — such as those detail exploitable Flash security exposure reports stand for for Adobe ’s eye only — could use the exposed key to decrypt subject matter that could contain thing like , say , zero - day vulnerability disclosures

According to Ars Technica , the misapprehension appear to come forth when an Adobe staffer posted a text file cabinet containing the public PGP key using Mailvelope , a common internet browser extension . They then block to trim the section of the export textbook file incorporate the private winder .

The PGP organisation is not incisively user - friendly — it ’s honestly somewhat inept — but this is still a relatively major mistake . The original post has since beendeletedandreplaced with a newfangled key , so hopefully no legal injury was done in the abbreviated catamenia of time it was unrecorded on the site . sure enough the recent week have seenmuch , much worse problemswith digital security than this footling incident , so in all probability cut Adobe a break on this one .

Starship Test 9