September 29, 2023

Retool has suffered a breach that allowed attackers to access and take over accounts of 27 cloud customers, all in the crypto industry.

According to a report, one of the known victims is Fortress Trust, i.e., four of its customers who accessed their crypto funds via a portal built by Retool.

The attack started with spear phishing text messages delivered to a number of Retool employees. Spoofed to look like it was coming from the company’s IT department, the goal was to make the targets log in to a fake Retool identity portal, at which point they would receive a phone call by the attacker.


The caller claimed to be one of the members of the IT team and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately, it did provide the attacker with one additional MFA code.

And because the employee’s MFA codes were synched with their Google account, the attacker now had access to all MFA tokens held within that account. This allowed them to run an account takeover attack on a specific set of customers, and the attacker also poked around some of the Retool apps – but didn’t specify which ones.

The company recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud and made it easier to activate the feature that not to.

If they used FIDO2-compliant hardware security key instead of one-time passwords delivered via an authenticator app, this particular social engineering attack would have failed.


Retool should have regularly reviewed the protections they’ve put in place and evaluated whether they are still adequate. After all, attackers have been finding ways around multi-factor authentication for a while now, and the threat landscape is changing quickly.

Retool is working with law enforcement and a third-party forensics firm to investigate the breach in depth, and they found that 27 cloud customers have been affected but that on-premise Retool customers remain secure.

Leave a Reply

%d bloggers like this: