Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
We're exploring how organizations adapt IAM to AI. Take the AI Identity and Risk Readiness Survey by September 5 →

Looking Back on a Successful Social Engineering Attack: Retool 2023

Published 08/18/2025

Home
Industry Insights
Looking Back on a Successful Social Engineering Attack: Retool 2023

CSA’s Top Threats to Cloud Computing Deep Dive 2025 reflects on eight recent real-world security breaches. The report presents the narrative of each incident, as well as the relevant cloud security risks and mitigations. Today we’re reflecting on the sixth incident covered in the Deep Dive: Retool 2023.

 

An unidentified threat actor launched a sophisticated social engineering campaign involving smishing, credential harvesting, and vishing tactics. They took advantage of Retool’s migration to Okta, using this transition to make their phishing emails appear legitimate. These efforts led to a Retool employee disclosing their one-time password (OTP) token.

Armed with the employee’s credentials and OTP token, the threat actor infiltrated Retool’s environment. They were able to link their device to the employee’s Okta account and gain access to the employee’s Google account as well. 

The threat actor was able to exploit a feature in Google Authenticator that syncs MFA tokens to the cloud. They gained access to additional MFA tokens, one of which allowed them to connect to Retool’s VPN and access their admin systems. From there, the threat actor took over customer accounts, changing associated email addresses and resetting user passwords. 

No one has disclosed the identity of the threat actor. However, researchers suspect that it was the financially motivated group Scattered Spider (UNC3944). 

 

Top Threats in Action

Multiple Top Threats made this breach possible:

 

Top Threat #2: Identity and Access Management (IAM)

Smishing, credential harvesting, and vishing led to the attacker obtaining authentication information.

Managing identities and access in cloud environments can be complex and risky. Different cloud providers have unique systems, which can lead to mistakes and security gaps. When users can create and manage their accounts and resources, this also results in excessive permissions and misconfigured settings.

Without a deep understanding and management strategy for multiple systems, the risk of misconfigurations and inconsistent security policies is significant. With centralized IAM system monitoring, issue response is easier. Inconsistent policies further complicate security efforts. The dynamic nature of cloud resources, like short-lived resources and automated scaling, adds to management complexity.

Mitigating these risks involves:

  1. Adopting unified IAM solutions with strong authentication like single sign-on and phishing-resistant multi-factor authentication (MFA)
  2. Enforcing the principle of least privilege
  3. Automating provisioning and deprovisioning processes
  4. Conducting activity monitoring
  5. Providing continuous training and awareness programs for users and administrators
 

Top Threat #1: Misconfiguration and Inadequate Change Control

In the Retool case, they were also lacking technical controls. Controls could have prevented the threat actor from adding MFA devices to an employee’s account.

Inadequate change control practices in cloud environments can lead to human errors, such as improper configurations, that remain undetected. Cloud environments differ significantly from traditional IT infrastructure, making change control more challenging. Traditional change processes typically involve multiple roles and approvals, often taking days or weeks to complete before reaching production.

Cloud computing methodologies, on the other hand, emphasize automation, broad access, and rapid change. They often abstract static infrastructure elements into code. This dynamic environment demands an agile and proactive approach to change control and remediation.

 

Top Threat #5: Insecure Third-Party Resources

Lastly, Retool failed to thoroughly review the Google Authenticator application. This led to the threat actor being able to sync the employee’s MFA codes to the cloud.

According to research from Colorado State University, two-thirds of breaches result from supplier or third-party vulnerabilities.

A product or service is the sum of all the other products or services it uses. An exploit can start from any component integrated within the application. For the malicious hacker, this means that to achieve their goal, they simply need to look for the weakest link as an entry point. This weakest link can often be a small supplier to a large business.

 

Technical Impacts

  • Confidentiality: The threat actor compromised the employee’s admin account, granting them access to Retool’s internal systems, applications, and sensitive data. 
  • Integrity: The compromised employee’s account was modified to add an unauthorized MFA device. The threat actor was also able to alter the information of 27 SaaS-based customer accounts, including their credentials. 
  • Availability: Availability impacts were limited to SaaS-based customers who may have been unable to access their accounts when their credentials were changed.
 

Business Impacts

  • Financial: Retool has not disclosed the total financial impact of the breach. They likely faced costs associated with hiring a third-party forensics firm to investigate the incident. Additionally, one of Retool’s customers, Fortress, suffered significant financial loss. The threat actor was able to steal $15 million USD worth of cryptocurrency from them. 
  • Operational: The breach led to disruptions for both employees and customers. During the remediation phase, Retool took several actions. They revoked internal authenticated sessions for employees, isolated the affected customer accounts, and notified customers of the breach. Once Retool addressed the immediate concerns, they spent time reverting the changes made by the threat actor. 
  • Compliance: There were no reported compliance violations relating to this breach. 
  • Reputational: The breach was reported in several news outlets, resulting in Retool publishing a blog post explaining what happened. This could have affected existing and potential customers’ confidence in Retool’s ability to secure their systems and data.
 

Preventive Mitigation

  • Separation of Duties: No controls were in place to prevent the threat actor from adding a new MFA device to the compromised account. An additional step should have been implemented, requiring IT to review and approve any such change before it was allowed. 
  • Least Privilege: They should have implemented a process to prevent unauthorized customer data modification. Since the admin account could modify customer data, the threat actor was able to reset customer credentials. 
  • Vulnerability Identification: Frequently review critical third-party applications to identify new features and their associated vulnerabilities. If Retool had identified the change Google made early on, they could have prevented the breach by ensuring their employees had turned cloud synchronization off. 
  • Unauthorized Change Protection: Technical controls should be in place to prevent unauthorized changes to accounts and systems. In Retool’s case, this would include restricting employees’ ability to add new MFA devices to their accounts.
  • Change Management Baseline: Establish a baseline for user accounts. Approve all devices associated with the account. 
  • Security Awareness Training: Conduct regular training sessions. Educate employees on the latest social engineering techniques and the dangers of phishing attacks.
 

Detective Mitigation

  • Detection of Baseline Deviation: Implement controls to detect deviations from established baselines. The addition of an unauthorized MFA device to the employee’s account should have been flagged. 
  • Audit Log Monitoring and Response: The employee’s admin account was used to modify customer data. This should have signaled unusual activity for that account. Implementing monitoring to detect and alert such abnormal behavior could have helped identify the breach earlier. 
  • User Access Review: Implement a process to frequently review and revalidate user least privilege access and separation of duty. This would help identify user accounts with access to data, applications, systems, and permissions that they don't need.
 

Corrective Mitigation

  • Change Restoration: Define and implement a process to proactively roll back changes to a previously known good state. This would ensure that Retool could quickly restore the customers’ and employees’ accounts. 
  • Sensitive Data Protection: Implement procedural and technical measures to ensure that customer data cannot be modified without their approval. 
  • Incident Response Plans: Establish a security incident response plan. Ensure the response team is prepared to effectively handle security incidents.
 

Control Effectiveness Measurements

  • Reported Suspicious Activity: The number of employees who report suspicious activity such as phishing, vishing, or smishing.
  • Social Engineering Tests: The percentage of employees who fell for social engineering tests and how many were repeat offenders.
  • IAM Access Reviews: The percentage of privileged accounts audited to ensure they only have access to systems and data they need.
  • Application Reviews: The percentage of applications assessed for vulnerabilities, misconfigurations, and security risks.
 

Key Takeaways from This Incident

  • Fully trusting third-party tools for internal authentication can lead to unexpected changes that impact security. If you rely on tools like Google Authenticator for OTPs, routinely review their updates for new security risks. 
  • Emerging technologies like deepfakes are making social engineering attacks more effective. Regular security awareness training and simulated social engineering tests can help employees better recognize and resist such threats. 
  • SaaS applications introduce additional risks, especially when used for critical operations. If you use SaaS-based applications, conduct thorough vendor and application reviews. Make sure to understand how the vendor handles access to your account and data. 
  • You must implement effective change management controls to detect, alert, and prevent unauthorized changes within your environment.  
 

Interested in reading about other recent cyber incidents? CSA’s Top Threats to Cloud Computing Deep Dive 2025 analyzes seven other notable cloud breach cases. Get a detailed breakdown of the Snowflake, Football Australia, CrowdStrike, Toyota, Darkbeam, FTX, and Microsoft incidents. This breakdown includes:Cover of Top Threats to Cloud Computing Deep Dive 2025

  • An attack detail
  • A description of the threat actor
  • The associated top threats
  • The technical and business impacts
  • Relevant Cloud Controls Matrix (CCM) controls to use for preventive, detective, and corrective mitigation
  • Essential metrics to measure control effectiveness
  • Key takeaways
Identity and Access ManagementVulnerabilitiesMisconfigurationTop Threats

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Register Now for CSA's Virtual AI Summit 2025
Secure IAM for Agentic AI Systems
Participate in the Data Security in AI Environments Peer Review
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Level up with Cloud Infrastructure Security Training
Related Articles:
Vulnerability Management Needs Agentic AI for Scale and Humans for Sense

Published: 08/22/2025

"Set It and Forget It” Access Control is No Longer Enough

Published: 08/20/2025

The Definitive Catch-Up Guide to Agentic AI Authentication

Published: 08/18/2025

Assets Under Attack: Email Threats Targeting Financial Services Jump 25%

Published: 08/14/2025