How Google Authenticator Made One Company’s Network Breach Much, Much Worse

A security company is calling out a feature in Google’s authentication app that it says made a recent internal network breach much worse. ArsTechnica: Retool, which helps customers secure their software development platforms, addressed the criticism on Wednesday in a post revealing a compromise of its customer support system. The breach gave the attackers responsible access to the accounts of 27 customers, all in the cryptocurrency industry. The attack began when a Retool employee clicked on a link in a text message purporting to come from a member of the company’s IT team. He warned that the employee would not be able to participate in the health coverage company’s open enrollment until the account issue was fixed. The text arrived as Retool was in the process of moving its login platform to security company Okta.

Most of the targeted Retool employees took no action, but one logged into the linked site and, based on the wording of the poorly written disclosure, likely provided both a password and a temporary one-time password, or TOTP, from Google Authenticator. Shortly thereafter, the employee received a phone call from someone claiming to be a member of the IT team and familiar with “the office floor plan, coworkers, and internal processes of our company.” During the call, the employee provided an “additional multi-factor code.” It was at this point, the disclosure claims, that the synchronization feature Google added to its authenticator in April increased the severity of the breach, as it allowed attackers to compromise not only the employee’s account, but multiple other company accounts as well.

Comments are closed.