Retool blames breach on Google Authenticator MFA cloud sync feature


Level 76
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
Software company Retool says the accounts of 27 cloud customers were compromised following a targeted and multi-stage social engineering attack.

Retool's development platform is used to build business software by companies ranging from startups to Fortune 500 enterprises, including Amazon, Mercedes-Benz, DoorDash, NBC, Stripe, and Lyft.

Snir Kodesh, Retool's head of engineering, revealed that all hijacked accounts belong to customers in the cryptocurrency industry.

The breach occurred on August 27, after the attackers bypassed multiple security controls using SMS phishing and social engineering to compromise an IT employee's Okta account.

The attack used a URL impersonating Retool's internal identity portal and was launched during a previously announced migration of logins to Okta.

While most of the targeted employees ignored the phishing text message, one clicked the embedded phishing link that redirected to a fake login portal with a multi-factor authentication (MFA) form.

After signing in, the attacker deepfaked an employee's voice and called the targeted IT team member, tricking them into providing an additional MFA code, which allowed the addition of an attacker-controlled device to the targeted employee's Okta account.
Retool is blaming the success of the hack on a new feature in Google Authenticator that allows users to synchronize their 2FA codes with their Google account.

This has been a long-requested feature, as you can now use your Google Authenticator 2FA codes on multiple devices, as long as they are all logged into the same account.

However, Retool says that the feature is also to blame for the August breach severity as it allowed the hacker who successfully phished an employee's Google account access to all their 2FA codes used for internal services.

"With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems," Kodesh said.


Staff Member
Malware Hunter
Jul 27, 2015
Not Googles fault that Retool didn't implement and used extra and better authentication tools for their " critical systems ". There's way too many other old reports available on that issue. The use of an hardware device like FIDO2 keys helps.

Btw, Okta themself been serious breached more then once:


Level 36
Top Poster
Content Creator
May 13, 2017
Could Microsoft Authenticator fall under the same attacks or worse, as it can also sync your 2FA and passwords.
Yes, because it was user's fault, who logged via a phishing webpage. I have just reinstalled Windows and all I had to do to login was to confirm 1 request via "trusted" Authenticator. Afterwards, I could simply access everything via Windows using PIN, like passwords, onedrive, etc. So much for 2FA/MFA, the whole security is like a house of cards, one mistake and it all falls down.


Level 28
Top Poster
Feb 7, 2023
Securit and convenience are usually inversely proportional to each other. You sacrifice one to gain other.
Not sure why they are blaming Google here.
It’s always like that in the event of breach, that’s been like this for years. It’s his fault, her fault, its fault, their fault. It is never the business’ fault for various misconfigurations.

Btw, Authenticator by Google can be used without an account too by people who desire to do so.


Sandbox Breaker

Level 9
Jan 6, 2022
I've been using yubikeys/titans since 2017. Never looked back since. With AiTM today... Alot of orgs/banks/govts/MSP's all getting hacked.

Check Point Zero Phishing has stopped all zero day AiTM pages/proxies I've seen in the wild.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.