Software development company Retool has blamed the hack of crypto custodian Fortress Trust on a recently introduced Google Account cloud synchronization feature, Hacker News reported on Sept. 18.

Retool, which provides cloud services for several customers, including Fortress Trust, disclosed that all the accounts of its 27 cloud customers were compromised. The breach led to Fortress Trust losing $15 million.

The hack process

Retool’s head of engineering, Snir Kodesh, said the new Google update changed its multifactor authentication standard to single-factor authentication without the administrators being aware.

This allowed the breach, which started as an SMS social engineering attack targeting the company’s employees, to be successful. The bad actor had sent malicious links to employees while pretending to be a member of the IT team.

The message accompanying the link said it was to resolve a payroll issue, and one of the employees unknowingly entered their credentials on the fake landing page. The hackers then called the employee using deepfake voice to obtain a multifactor authentication code.

The hackers could add their device to the employee’s account and produce their multifactor authentication code. This meant they could have an active Google Workspace session on the device.

The hackers gained access to the internal admin system from their devices by activating Google Authenticator cloud sync. They immediately took control of customers’ accounts, changing their email and password.

Retool did not disclose how the attack affected its other customers. However, the sophistication of the process suggests that hackers are experts who might even have insider access to tailor their phishing campaigns to targets.

Following the Aug. 27 incident, Ripple acquired Fortress Trust, reimbursing the affected customer’s funds. Meanwhile, this incident underscores the increasing sophistication of social engineering scammers and hackers now focusing on crypto firms.