Retool Suffers Social Engineering Breach

Retool blames the success of the hack on a new feature in Google Authenticator – OTP Cloud Back-up.

‍

We published an article back in April 2023 called, ‘Is Google Authenticator’s New OTP Backup Feature Safe?’ In the article we examined the new cloud feature and asked the question, was it secure. The backup feature is supposed to provide users a way to regain access to their accounts if they lose the phone where Authenticator is installed. 

In theory, this provided a better experience for users, and it is true to say that when used in a combination with a memorised password, having the additional OTP does add an additional layer of security, making it more difficult for hackers. It makes an attack more complex, but still cannot prevent it. Moreover, the biggest issue of saving OTP codes is that all that a hacker needs to do is steal the user's Google account password to restore all the OTP secrets on their device. The attacker can also, reset the OTP secret to take over an account completely.

What Happened in the Case of Retool?

Hackers used social engineering tactics to target Retool employees and unfortunately got a bite. The attack began with a phishing text message that once clicked on, redirected the unsuspecting employee to a fake login portal, complete with an MFA credentials login form. 

From here, the attackers managed to steal the login credentials of Retool employee’s Okta account. They signed in and then contacted the victim via phone, using a deepfake-voice and tricked the victim into providing the extra MFA code, at which point the attacker added their own device to the employees Okta account. 

“The fact that Google Authenticator syncs to the cloud is a novel attack vector. What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator. We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages the saving of MFA codes in the cloud), or at least provide organizations with the ability to disable it. We have already passed this feedback on to Google.” Said Snir Kodesh · Head of Engineering at Retool.

The Impact of the Breach 

The attacker gained access via Retool’s VPN using the OTPs and the Okta session. They were able to change emails for users and reset passwords resulting in complete account take-over of almost thirty crypto industry customers. 

Solutions to Credential Phishing & All Password-based Attacks

OTPs and passwords are no longer fit for purpose. Although providing back up might be popular with users in the short-term, in the long run this is not secure. As usual, the wrong problem is being solved. The only way to prevent all phishing attacks is to remove passwords, secrets, and all phishable factors like OTPs, QR, Push or SMS, and that goes for the whole lifecycle, not just for the act of authentication. 

Visit, AuthN by IDEE to find out more information on how we can help you win the fight against password-based attacks and credential phishing with phish-proof MFA.