Retool Details

    Organization Logo

    Retool

    San Francisco, CA364 employees • Information Technology

    Industry

    Information Technology

    Security Incidents

    1

    Security Incidents

    Retool Breach of Aug 2023
    Severity Score
    Significant to High

    Type

    Phishing Attack

    Summary

    On August 27, 2023, Retool experienced a spear phishing attack coinciding with an internal migration to Okta for login management. An employee was deceived by an SMS purporting to be from IT and directed to a fraudulent portal, subsequently surrendering their login credentials and a multi-factor authentication (MFA) code during a call utilizing a deepfake of a coworker's voice. The attacker added their own device to the employee's Okta account, gaining access to GSuite and all synced MFA codes via Google Authenticator's new cloud sync feature. Using these codes, the attacker infiltrated Retool...
    Show more

    Severity

    The August 2023 cyber incident at Retool revealed significant vulnerabilities in multi-factor authentication (MFA) practices and highlighted the sophisticated nature of modern social engineering attacks. This breach involved a targeted spear-phishing campaign that leveraged deepfake technology to deceive an employee into providing critical MFA codes, granting the attacker access to internal systems and customer accounts. Although the impact was limited to 27 cloud accounts and excluded on-premise customers, the incident underscores the severe risks associated with software-based OTPs for MFA, ...
    Show more

    Impact

    The cyber security incident that Retool experienced on August 27, 2023, was a spear phishing attack. This breach affected 27 of their cloud customers, specifically targeting those in the crypto industry.

    Customer data was indeed exposed, including user emails and passwords, which allowed attackers to take over accounts, poking around some of the Retool apps belonging to these customers. Additionally, an affected employee's MFA codes stored in Google Authenticator were compromised, allowing unauthorized access to internal admin systems and the VPN. There was no impact on on-premise or managed...
    Show more