Connect with us

Hi, what are you looking for?



Google Feature Blamed for Retool Breach That Led to Cryptocurrency Firm Hacks 

A recently introduced Google account sync feature has been blamed after sophisticated hackers attacked 27 cryptocurrency firms via Retool.

A recently introduced Google account sync feature has been blamed by software development firm Retool after sophisticated hackers gained access to its systems and targeted over two dozen of its customers from the cryptocurrency sector.

Retool is a San Francisco, California-based company that provides a development platform designed for building custom business tools without the need for advanced programming skills. Its customers include major companies such as Amazon, DoorDash, Unity, NBC, Mercedes-Benz, Volvo, Lyft and Peloton.

The company revealed this week that 27 of its cloud customers were notified in late August that there had been unauthorized access to their accounts. Retool said on-prem and managed accounts were not impacted.

Hackers launched account takeover attacks against these customers, changing user emails and resetting passwords. All of the victims were from the cryptocurrency industry.

Retool said the attack was quickly detected and the company rushed to take action to revert the 27 account takeovers. 

However, CoinDesk reported that at least one customer, Fortress Trust, had $15 million worth of cryptocurrency stolen as a result of the attack. 

The sophisticated attack started with SMS-based spear phishing aimed at Retool employees. The messages, received by several employees, appeared to come from a member of the company’s IT team and instructed recipients to access a legitimate-looking link in order to address some payroll and open enrollment (healthcare-related) issues. 

Advertisement. Scroll to continue reading.

Only one employee fell for the attack and accessed the link, which led them to a phishing page that tricked them into handing over their credentials and multi-factor authentication (MFA) data. 

The hackers then followed up with a phone call in which they deepfaked an employee’s actual voice. The person making the call raised some suspicion, but ultimately the employee did provide the attacker an additional MFA code that they needed. The attacker was convincing because they were familiar with the office’s floor plan, internal processes, and other employees. 

“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite session on that device,” Retool explained in a blog post.

The company said it uses one-time passwords (OTPs) for authentication to Google, Okta, an internal VPN, and internal Retool instances. The attacker was able to obtain access to all the MFA tokens in the targeted employee’s account — and then access internal systems — due to a recently launched Google Authenticator feature that syncs MFA codes to the cloud. 

If the feature is active — it was active in the case of the Retool employee — hackers can obtain all of the targeted user’s MFA codes if their Google account is compromised. 

“If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to ‘disable syncing to the cloud’, instead there is just a ‘unlink Google account’ option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync ‘feature’,” Retool complained.

“The fact that Google Authenticator syncs to the cloud is a novel attack vector,” Retool noted. “What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator.”

It’s unclear who is behind the attack, but the incident seems to have some similarities to recent attacks attributed to a financially motivated threat group tracked as 0ktapus, Scattered Spider and UNC3944. The group is known for its sophisticated social engineering tactics, the use of SMS-based phishing messages, and the targeting of cryptocurrency firms. The same gang also appears to be behind the recent highly disruptive attack on MGM Resorts

Regarding the use of deepfakes for social engineering, this seems to be an increasingly popular tactic. US agencies CISA, FBI and NSA this week published a cybersecurity report on deepfakes, warning that video, audio and text deepfakes can be used for a wide range of malicious purposes, including business email compromise (BEC) attacks and cryptocurrency scams. 

UPDATE: Google has provided SecurityWeek the following statement:

“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies. Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant. Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”

Related: FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers 

Related: North Korean Hackers Steal $53 Million in Cryptocurrency From CoinEx

Related: 3 Cryptocurrency Firms Suffer Data Breach After Kroll SIM Swapping Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...