Summary
- Retool disclosed that on August 29, 2023 it notified 27 cloud customers of unauthorized access to their accounts after a targeted August 27 social-engineering attack against a Retool employee.
- Who had practical control over employee support-channel verification, MFA enrollment and recovery controls, Google account dependency, customer environment isolation, detection, disclosure, and proof that support workflows could not override identity guarantees?
- The accountability issue is that enterprise automation platforms can inherit social-engineering risk from employee support channels when support or recovery paths allow strong-authentication assumptions to be bypassed in practice.
- Retool customers, internal users, support teams, identity providers, crypto and fintech workflows, auditors, and enterprise security teams needed evidence that support-channel trust was reduced to a controlled exception process.
- This article treats Retool's postmortem as the primary public record. Retool documentation, Google documentation, FIDO, CISA, NIST, Okta, and selected ecosystem records are used to evaluate control patterns and evidence boundaries.
Why this case belongs in a risk and accountability file
Retool belongs in a risk and accountability file because it shows how an enterprise software platform can fail through the gap between "MFA exists" and "MFA cannot be socially engineered around." Retool is a platform for building internal tools, workflows, administrative panels, and operational applications. Customers often use it to connect databases, APIs, payment operations, support processes, finance workflows, compliance tools, crypto operations, and other privileged internal systems.
If a provider's internal support path can take over customer accounts, the platform's own support workflow becomes part of the customer's security boundary.
The primary record is Retool's September 13, 2023 blog post, "When MFA isn't actually MFA," at https://retool.com/blog/mfa-isnt-mfa. Retool said that on August 29, 2023 it notified 27 cloud customers that there had been unauthorized access to their accounts. It said there was no access to on-prem or managed accounts. It described an August 27 spear-phishing attack in which employees received targeted SMS messages about an account issue connected to open enrollment and a recent migration to Okta. One employee logged into a fake portal that included an MFA form. Retool said the attacker then called the employee, claimed to be an IT team member, used a deepfaked familiar voice and internal context, and obtained one additional MFA code.
The incident then moved from employee identity to customer impact. Retool said access to the employee's Google account gave the attacker access to MFA codes stored in Google Authenticator through cloud synchronization. With those codes and the Okta session, the attacker gained access to Retool's VPN and internal admin systems. Retool said that allowed the attacker to run an account-takeover attack on a specific set of customers in the crypto industry by changing user emails and resetting passwords.
Retool said it revoked internal authenticated sessions, locked down affected accounts, notified affected customers, restored accounts to their original state, and reverted the 27 account takeovers.
Those facts make the incident more than a phishing story. The path crossed SMS, identity migration, help-desk style trust, voice social engineering, authenticator-code custody, VPN access, an internal support Retool instance, cloud customer administration, and customer account recovery. Every link had a different owner. The attacker controlled the deception. Retool controlled employee support processes, internal access design, administrative tooling, incident response, and customer notification. Google controlled Authenticator sync design and Google account security. Okta provided identity infrastructure.
Customers controlled their own Retool app design, user permissions, downstream transaction safeguards, and choice between cloud, managed, or self-hosted deployment.
The accountability issue is practical control, not abstract blame. Retool did not say that all Retool customers were affected. It said 27 cloud customers were notified and that on-prem and managed accounts were not accessed. That limit should be respected. At the same time, the affected path was severe because an internal support workflow could change customer account details and reset passwords. For an enterprise automation product, account takeover is not only an identity event; it can become an operational control event if the affected apps can run queries, trigger workflows, or approve irreversible actions.
The attack exploited support-channel trust, not only authentication prompts
The Retool postmortem is useful because it describes a sequence of social engineering rather than a single click. The SMS message was timed around employee benefits and an Okta migration. The fake URL was disguised as an internal identity portal. The fake portal collected login and MFA data. The attacker then called the employee and used organizational context. Retool said the employee became suspicious during the conversation but still provided one additional MFA code.
That is the real support-channel lesson: attacks can succeed by combining partial legitimacy, timing, urgency, internal vocabulary, voice familiarity, and a request that looks like a support or recovery step.
Many organizations design support processes around convenience during stressful moments. Employees are trained to resolve access problems quickly because blocked identity access can halt work. IT teams help users during migrations. Human resources processes create deadlines. Support calls often require verification. Attackers exploited that familiar pattern. If the support channel can ask for a code, add a device, approve a recovery flow, or guide a user through an identity reset, then the support channel is part of the authentication system. It must be designed as a high-risk control, not as a friendly side door.
Retool's own postmortem described the internal support Retool instance as the route by which customer account takeovers were executed. The authentication for that internal instance included VPN, SSO, and a final MFA system. Retool said a valid Google Workspace session alone would not have been sufficient. That detail matters because it shows that Retool had multiple layers. The failure was not the absence of MFA; it was the collapse of separateness when control over one account and synced authenticator secrets let the attacker pass additional layers.
This is why the title of Retool's postmortem matters. "When MFA isn't actually MFA" is not a claim that MFA is useless. It is a warning that the factors must remain independent. If the password, account session, authenticator secrets, recovery path, and support process all become reachable through one compromised account or one social-engineered conversation, the architecture may appear multi-factor while behaving like a single compound factor. The same is true if a support employee can override strong authentication without a separate, auditable, high-assurance process.
The public repair standard should therefore focus on support-channel design. Can an employee support call ever request an OTP? Can IT add or reset MFA devices without separate approval? Are recovery flows bound to phishing-resistant methods? Are administrative actions inside internal support tools gated by hardware-backed step-up? Are email changes and password resets for customers dual-controlled? Are high-risk customers, such as crypto or fintech teams, subject to stronger workflows? Are support actions logged in a way that customers can audit? Those questions follow directly from the attack path Retool described.
Cloud-synced one-time codes changed the MFA threat model
Retool's most debated conclusion involved Google Authenticator synchronization. Google announced on April 24, 2023 that Google Authenticator would support Google Account synchronization for one-time codes at https://security.googleblog.com/2023/04/google-authenticator-now-supports.html. Google's support page at https://support.google.com/accounts/answer/1066447 explains that users can synchronize verification codes across devices by signing in to a Google Account. The feature addresses a real usability problem: users lose phones, change devices, and get locked out when one-time-code seeds are local only. The convenience is obvious.
Retool's postmortem argued that this convenience created a new attack path in its environment. Retool said that access to the employee's Google account gave access to all MFA codes held within that account, and that this was the major reason the attacker could enter internal systems. Retool described the change as making what had been multi-factor authentication silently become single-factor authentication for administrators, because control of the Okta account led to control of the Google account, which led to control of synced OTPs.
That is Retool's claim about its environment, and it is appropriate to treat it as the company's incident interpretation rather than as a regulator's finding against Google.
The broader control lesson is sound. A time-based one-time password is still a shared secret. If the seed is copied into a cloud account that can be reached through the same identity path being protected, then the factor's independence can be weakened. The user may still experience two prompts, but the attacker may be working through one compromised account ecosystem. This is different from a phishing-resistant hardware key or passkey model in which the authenticator proves possession of a private key bound to the legitimate relying party and does not produce a code that can be read to an attacker.
CISA's phishing-resistant MFA fact sheet at https://www.cisa.gov/sites/default/files/2023-01/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf, NIST SP 800-63B at https://pages.nist.gov/800-63-4/sp800-63b.html, and the FIDO Alliance material at https://fidoalliance.org/fido2/ and https://fidoalliance.org/passkeys/ all support the distinction between code-based factors and phishing-resistant public-key methods. Retool itself recommended hardware security keys using FIDO2 in its postmortem. The lesson is not that every organization must reject every synchronized authenticator product. It is that administrators must understand where authenticator seeds are stored, who can synchronize them, whether enterprise policy can disable sync, and whether high-risk administrative systems rely on phishable or relayable codes.
Okta's own customer guidance is relevant because the attack occurred during a login migration to Okta. Okta documentation on authenticators and authentication policy at https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/about-authenticators.htm and https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-authentication-policies.htm gives organizations tools to require stronger factors for sensitive apps. Those docs are not incident findings. They are evidence that enterprises have configuration choices. A support admin panel, VPN, and customer account-management system should be among the first applications to require phishing-resistant, device-bound, or otherwise high-assurance authentication.
Internal admin tools can become customer-facing control planes
Retool's own product category makes the incident especially instructive. Retool is used to build internal tools. In the incident, Retool said an internal Retool instance used for customer support was part of the path to customer account takeovers. This creates a recursive accountability problem: a platform for building operational admin tools must secure its own operational admin tools with unusual care. The product's power is the risk. An internal admin interface can change customer emails, reset passwords, view operational state, trigger support actions, or inspect apps.
Even if it is not a production database, it can be a customer-facing control plane.
Retool's security practices page at https://docs.retool.com/legal/security describes hosted and self-hosted security responsibilities at a high level. Retool's audit-log guide at https://docs.retool.com/org-users/guides/monitoring/audit-logs and logged-events reference at https://docs.retool.com/org-users/reference/logged-events show that auditability is part of the product expectation. Retool's well-architected security guidance at https://docs.retool.com/education/coe/well-architected/security emphasizes permissions, resources, secrets, encryption, and monitoring. These documents are relevant because they show the same principles customers need for their own apps also apply to Retool's internal support apps.
Account-takeover workflows are particularly sensitive. Changing a user's email and resetting a password can transfer control even when the underlying customer app data is not directly stolen from the support tool. If a customer's Retool app is connected to a crypto, finance, healthcare, or operational system, takeover of the user account may allow the attacker to use the customer's own app permissions. Retool's postmortem said customers who had built secure apps and understood their threat matrix were effective at repelling the attack despite the account takeovers.
That is a key detail: downstream application design can limit harm, but the provider's internal support action created the initial account-control event.
The accountability question is therefore not only whether Retool restored the 27 accounts. It is whether the internal support workflow changed so that an employee account compromise cannot perform the same customer administrative actions without additional controls. High-risk actions should require human-in-the-loop review, independent approval, customer notification, delay windows, customer-held approval, hardware-backed step-up, or policy rules based on customer sensitivity. Retool said it had already implemented human-in-the-loop measures internally and expected to implement such workflows in the product.
The public record does not show every detail of those changes, so the durable test is evidence rather than intent.
Customers also need their own controls. Retool's docs on SCIM provisioning at https://docs.retool.com/sso/guides/scim-user-provisioning, audit logs, and security hardening for self-hosted deployments at https://docs.retool.com/self-hosted/self-managed/concepts/best-practices/security-hardening point toward customer-side governance: centrally manage users, revoke departed users, monitor sensitive events, harden deployment settings, and avoid giving any single Retool account irreversible operational power without compensating controls. A platform incident should cause customers to review which Retool users can run high-risk queries, change records, approve withdrawals, or trigger external actions.
Cloud, managed, and self-hosted boundaries mattered
Retool's public boundary between cloud, managed, and on-prem accounts is important. Retool said the incident affected a small subset of cloud customers and that no on-prem or managed accounts were accessed. It also said Retool on-prem operates in a zero-trust environment, does not trust Retool cloud, is fully self-contained, and loads nothing from the cloud environment. Retool's self-hosted documentation at https://docs.retool.com/self-hosted describes self-hosted and Retool-managed options, including deployments where customers retain ownership and control over data, encryption keys, and access in their own infrastructure.
That boundary should not be overstated. Self-hosted architecture can reduce dependence on Retool cloud, but customers still need to manage their own identity, network, database, secrets, updates, and monitoring. Retool's statement that on-prem was not affected is a confirmed incident boundary for this event, not a universal claim that self-hosting eliminates all Retool-related risk. Still, the distinction matters because it shows how deployment architecture can shape blast radius. A cloud support admin path may have reach into cloud customer accounts. A self-contained deployment may remove or reduce that reach.
Cloud service dependency is therefore a business decision, not just a hosting choice. Retool cloud can reduce operational burden and speed adoption. Self-hosted Retool can give customers more control over data locality, network isolation, and support boundaries. Managed self-hosted models can sit between those extremes. The right choice depends on threat model, industry, staffing, compliance, and the consequences of a support account takeover. Retool's own postmortem encouraged customers in sensitive industries to consider on-prem if security is important, while also noting that many crypto and larger customers already used on-prem.
The incident also shows that isolation must be tested at the administrative layer. A customer may believe data is isolated because databases and resources are in its own cloud, but an account takeover in the platform can still matter if the attacker can use the customer's own app permissions. Conversely, a support tool may not directly hold customer data but can trigger account changes that unlock access paths. A strong deployment boundary must consider identity control, support control, admin action control, and downstream application permissions together.
Evidence is the deciding factor. Customers should ask Retool or any similar enterprise software provider how cloud support access is separated from self-hosted environments, which support actions require approval, which customer events are logged, how account recovery is verified, how high-risk industries are handled, and how customers are notified of administrative changes. Retool's audit-log and security documentation provide a starting vocabulary, but procurement should request deployment-specific answers.
Customer harm depends on the workflow built on top of the platform
Retool's postmortem said the attacker ran account takeovers against customers in the crypto industry, changed emails, reset passwords, and poked around some Retool apps. It did not name the affected customers in the post. Third-party reporting, including CoinDesk at https://www.coindesk.com/business/2023/09/13/phishing-attack-on-cloud-provider-with-fortune-203750644.html and Fireblocks' response at https://www.fireblocks.com/blog/in-response-to-the-fortress-trust-hack-dated-september-12-2023, linked the broader episode to Fortress Trust and cryptocurrency loss allegations. Those records are useful context, but the article should not treat every third-party claim as a Retool-confirmed fact. Retool's own confirmed facts are the 27 cloud customer account takeovers and the cloud-only boundary.
The workflow point is still essential. Retool can be used to build almost anything. One customer may build a read-only analytics dashboard. Another may build a support console that changes customer records. Another may build a crypto operations interface. Another may build a healthcare back-office workflow. The same account takeover has different consequences depending on what the account can do. Retool explicitly told customers to understand their own threat model if their apps can access dangerous or irreversible actions.
That is a sober allocation of responsibility, but it does not absolve the provider of securing the support path that enabled account takeover.
Customers should therefore evaluate Retool apps like internal production systems. Which queries can mutate data? Which apps can trigger external transfers? Which resources use production credentials? Which user groups have admin rights? Which actions require second approval? Which audit logs show query execution, page views, user logins, resource changes, and support-driven account changes? Which downstream systems can detect and reverse malicious actions? Retool's logged-events documentation provides categories, but customers need their own risk model around each app.
This is where enterprise software automation can become a harm multiplier. Automation reduces manual work by making high-impact actions easy. That is the value proposition. It also means that compromised access can execute high-impact actions quickly. A support channel that can reset an email or password is not merely helping a user. It may be enabling access to an automation surface that can reach money, customer data, inventory, or regulated records. The safer design is to make irreversible or high-value actions require independent confirmation outside the compromised channel.
The incident's account-restoration step also matters. Retool said it restored affected accounts to original email addresses and reverted the 27 takeovers. Restoration closes one layer of the incident. It does not necessarily prove that every customer-side action attempted during the window was harmless. That proof depends on customer audit logs, app design, resource permissions, and downstream system evidence. Retool's postmortem acknowledged that customers with secure apps were effective at repelling the attack, which implies that application-level safeguards were material.
Human-in-the-loop controls must be designed against social engineering
Retool's lesson about adding a human-in-the-loop is useful but incomplete unless the human process is hardened. A second human can prevent automation from silently executing a risky action. But a second human can also be socially engineered, rushed, bypassed, or asked to rubber-stamp a request if the process lacks evidence. The control must specify who approves, what evidence they check, what channel they use, whether the request is out-of-band, how the decision is logged, and how high-risk customers can impose their own requirements.
In a support workflow, this may mean that changing a customer user's email requires confirmation through a customer-admin-controlled domain, not through the requesting session. Password resets for privileged users may require customer-admin approval. MFA resets may require hardware-key re-enrollment, waiting periods, and notification to existing admins. Support employees should not ask users to read OTPs over voice or SMS. IT staff should not call employees to collect codes. Any code-sharing request should be treated as hostile by default. Internal support tools should warn and block actions that look like takeover chains.
Identity providers can help with policy, but they cannot fully replace workflow design. Okta, Google, and other providers can enforce stronger authentication, device trust, session policies, and logs. Google Cloud audit logs at https://cloud.google.com/logging/docs/audit show the general value of administrative activity records in cloud environments. But if a support process is allowed to route around identity by changing user records, the identity provider may only see the downstream login. The provider and customer need business-process logs too.
CISA's secure-by-design guidance at https://www.cisa.gov/securebydesign and secure-by-default principles are relevant here because the safer product should make dangerous support actions harder by default. The NIST Cybersecurity Framework at https://www.nist.gov/cyberframework provides the identify, protect, detect, respond, and recover structure: identify high-risk support actions, protect them with strong approval and authentication, detect unusual takeover patterns, respond by locking accounts and revoking sessions, and recover by restoring accounts and validating downstream activity. These are not abstract compliance labels; they map directly to the Retool incident path.
The support-channel lesson also applies to internal IT. Employee benefit deadlines, payroll issues, SSO migrations, and device resets are predictable attack themes. Organizations should pre-announce migration support patterns, publish verified support channels, prohibit code requests, train employees to end unexpected calls, and require ticketed out-of-band confirmation for identity actions. Deepfake concerns make informal voice familiarity weaker as an assurance method. Retool's postmortem said the attacker used a deepfaked familiar voice and internal process knowledge.
Whether a particular future attack uses deepfake audio or a convincing human impersonator, the defense must avoid trusting voice alone.
Procurement and incident response should ask for workflow evidence
The Retool incident also changes what enterprise procurement should ask from internal-tool and automation vendors. A generic security questionnaire may ask whether the vendor supports SAML, MFA, SCIM, audit logs, and encryption. Those questions are useful, but they do not reach the support-workflow problem. The more important question is whether vendor employees can perform customer-impacting account actions, under what conditions, with which approvals, and with which customer-visible logs. A platform can have SAML and MFA for customer users while still exposing customers to vendor-side support actions that change account control.
Buyers should therefore ask for the administrative-action model. Can support staff impersonate users? Can they change email addresses? Can they reset passwords? Can they disable MFA? Can they view secrets or resource credentials? Can they trigger app runs? Can they access customer apps directly? Which of those actions are impossible, which are possible only with customer approval, and which are possible during emergency support? The point is not to forbid every support action. Enterprise customers often want support teams to fix urgent account problems.
The point is to make support power explicit, logged, policy-bound, and aligned with the customer's risk.
The same questions should be asked internally by customers using Retool. A customer Retool administrator may believe the provider incident is remote, but the platform's role inside the customer environment determines impact. If a Retool app can query a production database with broad write permissions, then a compromised Retool account can be much more serious than a compromised dashboard viewer. If the app can only read a limited reporting view, the same account takeover may be contained.
If a workflow can approve a withdrawal, issue a refund, change a payroll record, or update a customer identity field, then application-layer approval and anomaly detection matter as much as login security.
Incident response should also be preplanned. Customers should know how to freeze Retool users, revoke sessions, rotate resource credentials, review audit logs, disable high-risk apps, notify business owners, and check downstream systems. Retool's documentation gives some audit and user-management tools, but each customer must map them to its own resources. A crypto operations app, a loan-servicing dashboard, a customer-support console, and a warehouse-admin panel will need different containment steps.
The account-takeover path described by Retool is a reminder that the first visible event may be an ordinary-looking login followed by legitimate application actions.
Vendors should also provide customers with incident-specific artifacts that go beyond a narrative postmortem. Useful artifacts include affected account IDs, precise timestamps, support actions performed, IP addresses and user agents when safe to disclose, audit-log event names, restored fields, customer action required, and known limitations of the investigation. Some of that information must be handled privately to avoid exposing sensitive details. But without it, customers have to infer whether a restored account means no downstream action occurred. The burden of proof should fit the risk of the workflow.
The procurement implication is not that every customer must self-host Retool. It is that deployment choice should be tied to the power of the applications being built. A low-risk internal dashboard may fit comfortably in a managed cloud service. An application that can move funds, administer customer identity, or modify regulated records may justify self-hosting, customer-held keys, provider-access restrictions, stronger audit retention, or contractual support limits. Retool's own cloud versus on-prem boundary in the incident makes that architectural choice part of accountability rather than an implementation detail.
For regulated customers, the same evidence should feed vendor-risk and compliance records. A SOC report or security overview may show baseline controls, but incident-specific accountability asks whether the provider can demonstrate that social engineering, MFA recovery, internal support tooling, and customer account administration were redesigned after failure. A customer does not need every internal screenshot or forensic note. It does need enough evidence to decide whether the support channel can still change customer control without the customer seeing it in time.
Evidence boundaries and unknowns
The public evidence supports several clear conclusions. Retool disclosed an August 27, 2023 spear-phishing and social-engineering incident. It said 27 cloud customers were notified on August 29 of unauthorized account access. It said on-prem and managed accounts were not accessed. It said the attacker used an SMS lure, a fake identity portal, a phone call, a deepfaked familiar voice, and one additional MFA code. It said access to the employee's Google account exposed synced authenticator codes, enabling VPN and internal admin access. It said the attacker changed emails, reset passwords, and looked around some Retool apps.
It said Retool revoked sessions, locked down accounts, notified customers, restored accounts, and worked with law enforcement and a third-party forensics firm.
The public evidence does not support broader claims without qualification. It does not identify every affected customer in Retool's own post. It does not prove that all Retool cloud customers were affected. It does not show that on-prem or managed accounts were accessed. It does not provide the full forensic report. It does not prove every downstream customer action or loss. It does not establish a regulatory finding against Google, Okta, or Retool. It does not show every internal control change Retool implemented after the incident. Those unknowns should be named rather than filled with speculation.
There are important evidence gaps for enterprise buyers. Did Retool remove code-based OTP from all privileged internal systems? Which support actions now require hardware-backed step-up or dual approval? Can enterprise customers impose custom support approval policies? Which audit-log events show Retool support actions in customer environments? How are support engineers prevented from changing email or password fields for high-risk customers without customer-held confirmation? How are customer notifications triggered for administrative changes?
How does Retool verify that cloud-synced authenticator seeds are not used for privileged internal access? Public documentation answers only part of this.
Customers also need to examine their own side. Did their Retool apps have approval flows for irreversible actions? Were production resources exposed through broad Retool permissions? Did audit logs capture query execution and account changes during the window? Were downstream systems able to detect unusual actions from legitimate Retool sessions? Did resource credentials have least privilege? Could a user account takeover perform transfers, data exports, or privileged updates without independent confirmation? The provider incident is the trigger, but customer app design determines much of the harm.
The strongest evidence standard is therefore two-sided. Retool should be able to prove that internal support and identity paths were hardened after the incident. Customers should be able to prove that their Retool apps cannot convert account takeover into unchecked operational harm. Google and identity-provider documentation should help organizations understand where authentication factors are stored and whether they are truly independent. The accountability file is incomplete if any party treats the presence of an MFA prompt as the end of analysis.
Why this still matters in 2026
The Retool incident remains important in 2026 because enterprise automation platforms are becoming more central to operations. Low-code and internal-tool platforms let teams build faster, connect more systems, and move business workflows out of spreadsheets and ad hoc scripts. That is valuable. It also means that account management, support tools, and identity recovery can become control planes for finance, crypto, healthcare, logistics, support, and compliance workflows. A support-channel compromise can become a business-process compromise.
The event also demonstrates that convenience features can silently change security assumptions. Cloud-synced authenticator codes help users recover from device loss and move between phones. They also require administrators to understand whether the factor remains independent of the account being protected. SSO migrations make identity easier to manage. They also create attack windows when employees expect identity prompts and support messages. Internal support tools make customer help faster. They also concentrate administrative actions that need stronger controls than ordinary app usage.
For vendors, the durable lesson is to design support as a hostile environment. Support employees should not be able to override identity guarantees casually. Customer-impacting account changes should be high-friction, logged, and visible to customer administrators. Privileged internal apps should require phishing-resistant authentication and device-bound session proof. Recovery flows should assume that attackers know internal vocabulary and can imitate voices. Customer-facing incident reports should separate confirmed facts, company interpretation, and unknowns with enough precision for customers to act.
For customers, the lesson is to treat Retool and similar platforms as production software, even when they are built by operations teams rather than traditional engineering teams. Apps that can move money, change customer records, expose regulated data, or trigger irreversible workflows need role design, approvals, audit logs, resource least privilege, and recovery drills. Customers should know whether they are using cloud, managed, or self-hosted deployment and what that means for provider support access. They should ask how support actions are logged and whether they can require approval for account changes.
For identity teams, the incident is a reminder that the factor is not only the prompt. The factor is the custody model behind the prompt. A TOTP displayed in an app, copied into a cloud account, read over a phone call, or entered into a fake portal is not equivalent to a phishing-resistant hardware-backed authenticator. MFA architecture must be evaluated by attacker path: what happens if the user is phished, the session is stolen, the recovery channel is abused, or the support channel is impersonated?
The final accountability finding is evidence-based and bounded. Retool publicly confirmed that a social-engineering attack contributed to unauthorized access affecting 27 cloud customer accounts and that on-prem and managed accounts were not accessed. Public evidence does not justify alleging compromise of every customer or every Retool deployment. Public evidence does justify treating the incident as a support-workflow and MFA-accountability test. The case shows that enterprise automation trust depends not only on application features, but also on the support and identity processes that can change who controls those applications.
Source Ledger
- Retool postmortem, "When MFA isn't actually MFA": https://retool.com/blog/mfa-isnt-mfa
- Retool Security Practices: https://docs.retool.com/legal/security
- Retool self-hosted deployments: https://docs.retool.com/self-hosted
- Retool audit-log guide: https://docs.retool.com/org-users/guides/monitoring/audit-logs
- Retool logged-events reference: https://docs.retool.com/org-users/reference/logged-events
- Retool well-architected security guidance: https://docs.retool.com/education/coe/well-architected/security
- Retool self-hosted security hardening: https://docs.retool.com/self-hosted/self-managed/concepts/best-practices/security-hardening
- Retool SCIM provisioning documentation: https://docs.retool.com/sso/guides/scim-user-provisioning
- Google Security Blog on Authenticator synchronization: https://security.googleblog.com/2023/04/google-authenticator-now-supports.html
- Google Account Help, Google Authenticator verification codes: https://support.google.com/accounts/answer/1066447
- Okta authenticator documentation: https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/about-authenticators.htm
- Okta authentication policy documentation: https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-authentication-policies.htm
- CISA phishing-resistant MFA fact sheet: https://www.cisa.gov/sites/default/files/2023-01/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
- CISA Secure by Design: https://www.cisa.gov/securebydesign
- NIST SP 800-63B Digital Identity Guidelines: https://pages.nist.gov/800-63-4/sp800-63b.html
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
- FIDO2 overview: https://fidoalliance.org/fido2/
- FIDO Alliance passkeys overview: https://fidoalliance.org/passkeys/
- Google Cloud Audit Logs overview: https://cloud.google.com/logging/docs/audit
- Fireblocks response to Fortress Trust vendor hack: https://www.fireblocks.com/blog/in-response-to-the-fortress-trust-hack-dated-september-12-2023
- CoinDesk reporting on the Fortress Trust context: https://www.coindesk.com/business/2023/09/13/phishing-attack-on-cloud-provider-with-fortune-203750644.html
- TechTarget coverage of Retool's vishing incident: https://www.techtarget.com/searchsecurity/news/366552136/Developer-platform-Retool-breached-in-vishing-attack

