Software company Retool says the accounts of 27 cloud customers were compromised following a targeted and multi-stage social engineering attack.
Retool's development platform is used to build business software by companies ranging from startups to Fortune 500 enterprises, including Amazon, Mercedes-Benz, DoorDash, NBC, Stripe, and Lyft.
Snir Kodesh, Retool's head of engineering, revealed that all hijacked accounts belong to customers in the cryptocurrency industry.
The breach occurred on August 27, after the attackers bypassed multiple security controls using SMS phishing and social engineering to compromise an IT employee's Okta account.
The attack used a URL impersonating Retool's internal identity portal and was launched during a previously announced migration of logins to Okta.
While most of the targeted employees ignored the phishing text message, one clicked the embedded phishing link that redirected to a fake login portal with a multi-factor authentication (MFA) form.
After signing in, the attacker deepfaked an employee's voice and called the targeted IT team member, tricking them into providing an additional MFA code, which allowed the addition of an attacker-controlled device to the targeted employee's Okta account.
Hack blamed on new Google Authenticator sync feature
Retool is blaming the success of the hack on a new feature in Google Authenticator that allows users to synchronize their 2FA codes with their Google account.
This has been a long-requested feature, as you can now use your Google Authenticator 2FA codes on multiple devices, as long as they are all logged into the same account.
However, Retool says that the feature is also to blame for the August breach severity as it allowed the hacker who successfully phished an employee's Google account to have access to all of their 2FA ..
Support the originator by clicking the read the rest link below.
