Connect with us
Active Currencies 14420
Market Cap $2,654,916,693,311.20
Bitcoin Share 49.90%
24h Market Cap Change $-2.63

Crypto worth $15 mln at risk amidst phishing attack on software provider

2min Read

Retool thwarted a spear phishing attack by promptly taking swift actions and timely intervention against the hack.

Crypto worth $15 mln at risk as software provider falls to phishing attack

Share this article

  • The attacker altered user emails and reset passwords on Retool, affecting 27 accounts.
  • However, Retool’s on-premise customers remained unaffected by the attack.

Retool, a prominent software platform, fell victim to a spear phishing attack on 27 August, putting cryptocurrency worth $15 million at risk. While it led to unauthorized access for some cloud customers, Retool promptly took action to address the breach.

The attacker exploited an SMS-based phishing attack, targeting Retool employees. By sending fraudulent texts, the attacker posed as a member of the IT team, claiming to address an issue related to payroll systems and open enrollment, thus leveraging a critical point of concern for employees: healthcare coverage.

The timing coincided with the migration of logins to Okta, and the message contained a URL that mimicked Retool’s internal identity portal.

Unmasking deceptive tactics in the attack

While most employees refrained from engaging with the text, one unfortunate employee clicked on the link, leading to a fake portal, complete with multi-factor authentication (MFA) prompts.

Subsequently, the attacker initiated a phone call with the employee, using a deepfake voice that resembled a Retool IT team member. During the conversation, the employee grew increasingly suspicious, but still shared an additional MFA code.

This additional code allowed the attacker to add their device to the employee’s Okta account. Adding the device granted them access to an active GSuite session.

Notably, Google had recently introduced a feature that syncs MFA codes to the cloud, potentially compromising security. The attacker capitalized on this vulnerability, enabled by Google’s dark patterns that encouraged MFA code syncing.

The breach’s impact extended to Retool’s internal systems, including VPN and admin systems, enabling an account takeover attack on specific customers, primarily from the crypto industry.

The attacker altered user emails and reset passwords, affecting 27 accounts in total.

Upon discovering the breach, Retool took swift action. It revoked all internal authenticated sessions, securing affected accounts, notifying impacted customers, and restoring their accounts to their original states.

Remarkably, Retool’s on-premise customers remained unaffected, as the on-premises system operates independently of Retool’s cloud environment.

The company confirmed that it was actively collaborating with law enforcement and a third-party forensics firm to investigate the breach.


Saman Waris works as a News Editor at AMBCrypto. She has always been fascinated by how the tides of finance and technology shape communities across demographics. Cryptocurrencies are of particular interest to Saman, with much of her writing centered around understanding how ideas like Momentum and Greater Fool theories apply to altcoins, specifically, memecoins. A graduate in history, Saman worked the sports beat before diving into crypto. Prior to joining AMBCrypto 2 years ago, Saman was a News Editor at Sportskeeda. This was preceded by her stint as Editor-in-Chief at EssentiallySports.
Read the best crypto stories of the day in less than 5 minutes
Subscribe to get it daily in your inbox.
Please check the format of your first name and/or email address.

Thank you for subscribing to Unhashed.