On August 27, 2023, Retool experienced a spear phishing attack that resulted in unauthorized access to the accounts of 27 cloud customers, all within the crypto industry, while on-premise customers remained unaffected. The attack began with an SMS-based phishing message targeting employees, leading one to inadvertently provide access to an attacker who used a deepfake voice to obtain a multi-factor authentication (MFA) code. This allowed the attacker to add their device to the employee's Okta account and access critical systems through synchronization of MFA codes to the cloud via Google Authenticator, highlighting vulnerabilities in software-based OTPs. Following the breach, Retool quickly revoked internal sessions, restored affected accounts, and emphasized the need for more robust security measures, such as hardware security keys and human-in-the-loop workflows. The incident underscored the importance of understanding threat models, implementing defense-in-depth strategies, and encouraging the use of on-premise solutions for industries requiring enhanced security. Retool aims to increase industry awareness of such risks and improve security practices by sharing their experience openly.