On August 27, 2023, a Retool employee received a convincing smishing (SMS phishing) message claiming to be from Retool IT support regarding a benefits enrollment issue requiring action. After clicking a link and providing credentials, the employee was convinced via voice call to provide a TOTP code from Google Authenticator. Critically, Google had recently introduced a cloud sync feature for Google Authenticator that automatically backed up TOTP tokens to the user’s Google Account. Because the attacker had already compromised the employee’s Google account (via the phishing), they obtained all the synced MFA codes without needing the physical device. This gave the attacker persistent MFA bypass into Retool’s Okta, Google Workspace, and internal admin tools. 27 customers in the crypto industry were impacted — attackers used their access to target these customers. Retool’s post-mortem became a seminal industry case study on the danger of MFA token cloud syncing and the limits of SMS-based MFA.