A security company claims that a feature in Google’s authenticator app made a recent internal network breach even worse. Ars Technica: Retool, which helps customers secure their software development platforms, came under fire Wednesday in a post that revealed a breach in its customer support system. This breach allowed the attackers to responsibly access the accounts of 27 of her clients in the cryptocurrency industry. The attack began when a Retool employee clicked on a link in a text message purporting to come from a member of his IT team at the company. It warned that the employee would not be able to participate in the company’s public health insurance enrollment until the account issue was resolved. The text arrived as Retool was in the process of migrating its login platform to security firm Okta.
Most of the targeted Retool employees took no action, but one of them logged into the linked site and, based on the wording of the poorly written disclosure statement, likely logged into the Google Authenticator. You likely provided both your password and a temporary one-time password (TOTP). Shortly thereafter, the employee received a call from someone who claimed to be a member of her IT team and was familiar with “the office floor plan, co-workers, and the company’s internal processes.” During the call, the employee provided an “additional multi-factor code.” At this point, the severity of the breach has increased, as the synchronization feature that Google added to its authenticator in April allowed attackers to compromise not only employee accounts, but also many other corporate accounts. increased, the disclosure document claimed.