Incident Details
An engineer at Retool was socially engineered, resulting in a compromise of MFA tokens and account takeovers for a small number of Retool customers, with a connected loss of $15M in cryptocurrency from Fortress Trust.
Incident
How Did the Breach Happen?
The breach happened via a spear phishing attack, where the Retool engineer was lured to a fake Okta domain and tricked into providing login credentials and MFA tokens. The attacker used deepfake technology to impersonate a known colleague's voice, adding credibility to the request for the additional MFA code.
What Data has been Compromised?
The compromised data includes MFA tokens, which allowed the attacker to access Retool's VPN and internal admin systems, and ultimately perform account takeover attacks on customers, particularly in the cryptocurrency industry.
Why Did the company's Security Measures Fail?
The company's security measures failed due to a combination of factors including the employee's MFA tokens being stored in the cloud (a feature of Google Authenticator), and no clear way to disable this feature. Additionally, there was sophisticated social engineering involved, exploiting the trust in a colleague's familiar voice and internal company knowledge.
What Immediate Impact Did the Breach Have on the company?
The immediate impact was the unauthorized access of internal systems and subsequent account takeovers of 27 customers in the cryptocurrency industry, with an associated financial loss of $15M from Fortress Trust.
How could this have been prevented?
This could have been prevented by avoiding syncing of TOTP seeds to the cloud, having better awareness of the authentication app features, providing more thorough training against sophisticated social engineering attacks, and potentially using hardware keys for better security.
What have we learned from this data breach?
We have learned that syncing TOTP MFA codes to the cloud can be a significant vulnerability, awareness and training can mitigate social engineering risks, and it's crucial for security teams to implement and support secure solutions for privileged users.
Summary of Coverage
The Retool data breach was carried out through social engineering and exploitation of a Google Authenticator feature that syncs MFA tokens to the cloud. As a result, attackers gained access to 27 customer accounts within the cryptocurrency sector, leading to significant financial loss. Improved security practices, better training, and alternatives to cloud-synced MFA could have prevented the breach.