Summary
On August 27, 2023, Retool was breached through SMS phishing (smishing). Employees received texts impersonating IT about a payroll and health-insurance issue, linking to a fake internal identity portal during a real, previously announced migration to Okta. One employee entered credentials and an MFA code; the attacker then phoned the employee using a deepfaked, familiar-sounding voice (vishing) and talked them into providing an additional code, which added an attacker-controlled device. A compounding factor turned MFA into single-factor: Google Authenticator had recently enabled cloud sync, so when the employee's Google account was phished, all of their synced 2FA codes for internal services were exposed at once. The attacker reached 27 cloud customers, all in cryptocurrency, with at least one (Fortress Trust) reporting significant crypto theft. Retool publicly blamed Google Authenticator's cloud-sync feature for amplifying the breach.
How to avoid it in your code
- Use phishing-resistant hardware MFA (FIDO2 security keys); disable cloud-synced TOTP for privileged accounts.
- Treat SMS and voice as untrusted channels for authentication; never read an MFA code to a caller.
- Lock MFA-device enrollment behind strong verification and alert on every new-device addition.
- Watch for smishing tied to real internal events (migrations, payroll) that attackers time to look legitimate.
- Scope and isolate customer-facing admin systems so one employee compromise cannot reach many tenants.
References
Related vulnerabilities
All Phishing →- HIGHPHISH-AITM
Adversary-in-the-middle phishing defeats most multi-factor authentication by proxying the real login page. The victim is lured to a reverse-proxy site (Evilginx, EvilProxy, Tycoon 2FA) that relays every request to the genuine service, so the user completes username, password, and the MFA challenge against the real site while the proxy silently captures the resulting session cookie. With that cookie the attacker replays an already-authenticated session and skips MFA entirely, then often pivots to business email compromise. Microsoft tracked an AiTM campaign that attempted to target more than 10,000 organizations from September 2021. One-time-code and push MFA do not stop it; only phishing-resistant, origin-bound credentials do.
- HIGHPHISH-SPEAR-PHISHING
Spear phishing is a phishing attack crafted for a specific person or organization using reconnaissance — role, current projects, colleagues, vendors — so the lure looks legitimate, unlike high-volume bulk phishing. The payload is usually a credential-harvesting login page or a weaponized attachment. It is the dominant initial-access vector behind major breaches (RSA in 2011, the 2016 Clinton-campaign compromise) and the entry point for most ransomware and BEC. Because it exploits human trust rather than a software flaw, technical controls alone do not stop it: defense pairs detonation and email authentication with phishing-resistant MFA and least privilege so a single phished account is contained.
- HIGHPHISH-DNC-PODESTA-2016
In March 2016, Clinton campaign chairman John Podesta received a spear-phishing email disguised as a Google security alert warning that someone had his password and urging an immediate reset via a Bitly-shortened link to a fake Google login page. An IT aide asked to vet it replied that the email was 'legitimate' — reportedly a typo for 'illegitimate' — and Podesta entered his credentials on the attacker page. The Russian GRU group Fancy Bear (APT28) harvested the password and exfiltrated roughly 50,000 emails, later published by WikiLeaks during the U.S. election. No malware and no software exploit were involved: one convincing fake login page and one click. It is the canonical example of credential-harvesting spear phishing with outsized real-world impact.
- MEDIUMPHISH-QUISHING
Quishing delivers the phishing link as a QR code instead of a clickable URL, usually embedded in an email body, a PDF, or an image so it survives URL-reputation and link-scanning filters that only parse text. Scanning the code moves the victim onto a personal phone, outside enterprise EDR, proxy, and email controls, where a fake login page harvests credentials and is frequently chained with adversary-in-the-middle to steal the session. Adoption is rising fast: Microsoft reported QR-code phishing up roughly 146% and said pre-delivery scanning blocked about 1.5 million quishing attempts per day in 2024, and kits increasingly fold QR codes into OAuth device-code phishing flows.
- CRITICALPHISH-BEC
Business email compromise is a social-engineering fraud in which an attacker impersonates a trusted party (an executive, a supplier, an attorney, payroll) over email to trick staff into wiring money or changing payment details. No malware is required; it abuses trust and weak payment process. Attackers either spoof a lookalike domain or take over a real mailbox and watch threads to time the request to a live invoice. The FBI's Internet Crime Complaint Center ranks BEC the costliest cybercrime category by dollar losses, identifying roughly $51 billion in exposed losses globally between October 2013 and December 2022, rising to about $55 billion by 2023, reported across more than 177 countries. Common variants are CEO/wire fraud, vendor and invoice fraud, payroll diversion, and real-estate closing fraud.
- CRITICALPHISH-GOOGLE-FACEBOOK-BEC-2019
Between roughly 2013 and 2015, Lithuanian national Evaldas Rimasauskas ran a business email compromise scheme that defrauded Google and Facebook of about $120 million. He registered a company in Latvia under the same name as Quanta Computer, a Taiwan-based hardware maker both firms genuinely did business with, then emailed forged invoices, contracts, and letters on spoofed corporate letterhead to employees who routinely paid Quanta. The companies wired payments to attacker-controlled bank accounts — Facebook nearly $100 million and Google over $23 million — before the fraud was detected. Rimasauskas was arrested in March 2017, pleaded guilty to wire fraud in March 2019, and was sentenced to five years in prison and ordered to forfeit nearly $50 million. Both companies recovered most of the funds. It remains the textbook large-scale vendor-impersonation BEC.