Retool [1] [2] [3] [4], a software development company [2] [3] [4], recently disclosed a targeted social engineering attack that affected 27 of its cloud customers. This incident highlights the importance of robust security measures in the face of evolving cyber threats.


The breach occurred on August 27, 2023, coinciding with Retool’s transition to Okta for logins [2]. The attackers exploited a “dark pattern” in Google Account’s cloud synchronization feature, which was introduced in April 2023. While they were able to change user emails and passwords, they did not gain unauthorized access to on-prem or managed accounts [2].

One of the affected customers, Fortress Trust [2], suffered a significant loss of approximately $15 million worth of cryptocurrency. This incident underscores the vulnerability of syncing one-time codes to the cloud and emphasizes the importance of using FIDO2-compliant hardware security keys or passkeys to combat phishing attacks [2].

The identity of the hackers remains unknown [4], but their tactics bear resemblance to those employed by financially motivated threat actor Scattered Spider [4]. It is worth noting that the U.S. government has issued warnings against the use of deepfakes and synthetic media in cyber attacks.


This targeted social engineering attack has had significant consequences, with one customer experiencing a substantial financial loss. It serves as a reminder of the importance of implementing robust security measures, such as FIDO2-compliant hardware security keys [2] [4], to protect against phishing attacks. Additionally, the similarities in tactics to known threat actors highlight the need for continued vigilance and collaboration in the cybersecurity community. The U.S. [4] government’s warnings about deepfakes and synthetic media further emphasize the evolving nature of cyber threats and the need for ongoing awareness and preparedness.