Sisense customers told to reset passwords following possible attack — CISA warns users they could be at risk

American business intelligence company Sisense has warned its customers to reset practically all passwords, key, and tokens, used within its application.

The firm said it recently suffered a data breach, hinting that the miscreants obtained different login credentials and session tokens.

As reported by KrebsOnSecurity, last Wednesday, Sisense’s Chief Information Security Officer, Sangram Dash, reached out to customers, saying the firm learned that “certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)”

Compromised Gitlab

“We are taking this matter seriously and promptly commenced an investigation,” Dash continued. “We engaged industry-leading experts to assist us with the investigation. This matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application.”

In a follow-up note, however, Sisense said users should change their passwords, replace the Secret in the Base Configuration Security section, log out all users, update sso.shared_secret, rotate the x.509 certificate, rotate client secrets (for those utilizing OpenID), and make many other updates (the full list can be found here).

The breach seems to be quite alarming, as even the U.S. Cybersecurity and Infrastructure Security Agency (CISA) chimed in. Issuing an alert, the government body said it was investigating the breach as well: “CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,” it said in the alert. “We will provide updates as more information becomes available.”

While Sisense did not share any details on the nature of the breach, KrebsOnSecurity uncovered that it was likely that hackers somehow breached the company’s Gitlab code repository. This repo contained a token, or credential, which allowed them to access the company’s Amazon S3 buckets in the cloud. From there, the attackers exfiltrated terabytes of customer data, including access tokens, email passwords, and even SSL certificates.

All of this came from “two trusted sources with close knowledge of the breach investigation.