The Cybersecurity and Infrastructure Agency (CISA) issued an advisory on 11 April following a major data breach at data analytics firm Sisense, reportedly exposing millions of customer credentials and certificates.
On April 10 Sisense’s CISO, Sangram Dash, issued a notice to customers that the company was aware of a security incident that saw threat actors gain access to customer data, according to KrebsonSecurity.
Dash acknowledged that “certain company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet”.
The notice stated Sisense was engaging industry experts to help address the incident and remediate any fallout from the breach, adding the incident had resulted in an interruption to business operations.
Sisense is a data analytics tool used across a variety of enterprises, enabling businesses to manage multiple third-party online services in a single dashboard, such as Salesforce, GitHub, Box,, or BigQuery.
The potential fallout from this incident could be sprawling, due to the company’s prevalence in enterprise IT estates around the world and its role in connecting various services with highly sensitive data.
CISA’s advisory urges businesses to reset credentials and secrets potentially used to access Sisense services as quickly as possible and to investigate any suspicious activity involving these credentials over previous months. Findings should then be reported back to the agency.
Since the advisory was issued, a number of customers have taken to Sisense’s community troubleshooting message board to voice their concerns about the lack of information provided by the company.
Hackers accessed millions of access tokens, email account passwords, and SSH certificates
According to reporting from Brian Krebs, the breach occurred after hackers gained access to Sisense’s self-hosted Gitlab code repository.
In the repository, threat actors were able to identify a credential or token that gave them access to Sisense’s Amazon S3 buckets in the cloud.
Krebs’ sources claimed the attack successfully exfiltrated terabytes worth of customer data, which amounted to millions of access tokens, email passwords, and SSH certificates.
Access tokens essentially constitute text files stored on a machine to help users stay logged into services, sometimes indefinitely. If they fall into the wrong hands, hackers can reuse them to authenticate themselves on internal dashboards without having to provide valid credentials.
Sangram Dash’s message to customers included a number of specific steps they should take to minimize the possibility of being targeted using secrets exposed in the breach.
Dash advised customers to change their passwords for all Sisense-related services and for all users in the Sisense application:
- Rotating access tokens
- Rotating credentials and keys
- Logging out of single sign-on (SSO) accounts
- Resetting user parameters.
He also noted that Sisense has created a dedicated response team to assist with specific requests and that customers requiring assistance should submit a customer support ticket marked as critical.