Software development platform Retool has pointed the finger of blame at Google after suffering a data breach.

Here’s what happened: a hacking collective engaged in SMS phishing and social engineering managed to steal login credentials for an Okta account belonging to a Retool IT employee. It was quite an elaborate scheme, too, as it included creating a fake internal identity portal for Retool and impersonating an employee in order to have the victim share their multi-factor authentication (MFA) code. 

But given that the company used Google’s MFA tool, Authenticator, Retool’s head of engineering, Snir Kodesh, says it’s all Google’s fault. The search engine behemoth recently introduced a new feature in Authenticator, which allows users to be logged into the tool on multiple endpoints. This enabled the attackers to trick their way into Authenticator, and ultimately – Okta.

Account takeover

“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems,” BleepingComputer cited Kodesh saying. “This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry). (They changed emails for users and reset passwords.) After taking over their accounts, the attacker poked around some of the Retool apps.”

“We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages the saving of MFA codes in the cloud), or at least provide organizations with the ability to disable it.”

Google, on the other hand, was relatively mild in its response. It reminded Kodesh that the synchronization feature is optional, and suggested they move from passwords to more secure authentication methods, such as passkeys:

“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies. Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant,” a Google spokesperson told BleepingComputer.

“Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies,” the Google spokesperson said.

“While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”

More from TechRadar Pro

Services MarketplaceListings, Bookings & Reviews

Entertainment blogs & Forums

對於需要直接到達內地各個機場,例廣州白雲國際機場,深圳寶安國際機場或珠海金灣機場等等, super vip team的中港車接送服務便能連同行李接送客人直達到指定機場。此外,如果客人想到國內下蹋酒店,我們亦能安排直接到達酒店,讓您能有更好的時間安排。. 8630 cedar hammock circle 1026.