- A phishing attack on software firm Retool led to hackers stealing $15 million worth of crypto assets.
- The hack was blamed on a Google Account cloud sync feature that was introduced earlier this year.
- The vulnerability reportedly turned multi-factor authentication into single-factor authentication.
San Francisco-based software development firm Retool recently released details of a crypto hack that allowed bad actors to steal crypto assets worth $15 million. Those affected by the multi-million dollar crypto hack included Fortune 500 companies like Fortress Trust, which was a client of Retool. Details of the hack were released more than two weeks after Retool initially reported the incident.
Crypto journalist Colin Wu took to X (formerly Twitter) earlier today to report the latest developments of the Retool hack:
Retool blamed the hack on Google’s Account cloud synchronization feature, which was introduced earlier this year. The hacker was reportedly able to take control of the Google accounts of 27 of Retool’s clients following an SMS-based phishing attack. The vulnerability turned the account’s multi-factor authentication into single-factor authentication.
The incident reportedly took place on August 27, 2023, when the hacker managed to infiltrate multiple layers of security measures through SMS phishing. The timing of the hack coincided with Retool’s migration of logins to Okta, an identity and access management software. The hacker succeeded after one Retool employee logged in using the malicious link provided by hackers in the compromised SMS.
Speaking on the hack, Retool’s Head of Engineering Snir Kodesh stated:
We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages the saving of MFA codes in the cloud) or at least provide organizations with the ability to disable it. We have already passed this feedback on to Google.
On 29 August, Retool reportedly informed their affected customers about the multi-million dollar hack. The hack did not impact any of the firm’s on-premise or managed accounts, given that they made no contact with Retool Cloud. According to Retool, by publishing the details of the recent hack, the industry would be more aware overall and enable a revamp of cybersecurity measures.