Software development platform Retool has blamed Google after a data breach.
Here’s what happened: A hacker collective engaged in SMS phishing and social engineering managed to steal login credentials for an Okta account belonging to a Retool IT employee. It was also quite an elaborate scheme, as it included creating a fake internal identity portal for Retool and impersonating an employee so that the victim could share their multi-factor authentication code (MFA).
But since the company used Google’s MFA tool, Authenticator, Retool’s head of engineering, Snir Kodesh, says it’s all Google’s fault. The search engine giant recently introduced a new feature in Authenticator that allows users to log into the tool on multiple endpoints. This allowed the attackers to trick into Authenticator, and ultimately Okta.
“These codes (and the Okta session) gave the attacker access to our VPN, and crucially, to our internal administrative systems,” BleepingComputer quoted Kodesh’s statement. “This allowed them to conduct an account takeover attack on a specific group of customers (all in the crypto industry). (They changed users’ email addresses and reset passwords.) After taking over their accounts, the attacker snooped around some of the Retool apps.”
“We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages storing MFA codes in the cloud) or allow organizations to disable this.”
Google, on the other hand, responded relatively mildly. It reminded Kodesh that the sync feature is optional, and suggested that they move away from passwords to more secure authentication methods, such as passkeys:
“Our number one priority is the safety and security of all online users, both consumer and enterprise, and this event is another example of why we remain committed to improving our authentication technologies. We also continue to encourage the movement towards more secure authentication technologies. as a whole, such as passkeys, which are resistant to phishing,” a Google spokesperson told BleepingComputer.
“Phishing and social engineering risks with legacy authentication technologies, such as those based on OTP, are why the industry is investing heavily in these FIDO-based technologies,” the Google spokesperson said.
“As we continue to work on these changes, we want to make sure Google Authenticator users know they have the choice to sync their OTPs with their Google Account, or just keep them locally. In the meantime, we will continue to work about the balance between security and usability as we consider future improvements to Google Authenticator.”