The attack exploits the Google Authenticator cloud sync function, effectively transforming multi-factor authentication into a single-factor system. The offender gained control of an Okta account and subsequently seized control of the associated Google account, which held all one-time passwords (OTPs) stored in Google Authenticator. This synchronization feature, previously considered secure, turned out to be a novel attack vector.
The incident began with an SMS phishing attack aimed at Retool employees, where threat actors posed as members of the IT team. Employees were forced to click on a seemingly legitimate link to address a payroll-related issue. An additional security flaw emerged when an employee enabled Google Authenticator’s cloud sync feature, granting threat actors elevated access to internal admin systems.
The attackers subsequently changed email addresses and reset passwords for 27 customers in the crypto industry, resulting in substantial losses, notably the theft of $15 million worth of cryptocurrency from Fortress Trust, as reported by CoinDesk.
While the exact identity of the hackers remains undisclosed, their tactics resemble those of a financially motivated threat actor known as Scattered Spider, recognized for employing sophisticated phishing techniques. Retool assures that the breach did not grant unauthorized access to on-premises or managed accounts and coincided with the company’s migration of logins to Okta.
DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.