US business intelligence company Sisense has warned its customers to reset virtually all passwords, keys and tokens used in its application.
The company said that it recently suffered a data breach, which indicates that the miscreants obtained several login credentials and session tokens.
As reported by KrebsOnSecurityLast Wednesday, Sisense’s Chief Information Security Officer Sangram Dash contacted customers and said the company had learned that “certain Sisense corporate information may have been made available on what we have been told is a restricted server (not generally available on the Internet.)”
Compromised Gitlab
“We take this matter seriously and have immediately launched an investigation,” Dash continued. “We have engaged leading industry experts to assist us in the investigation. This issue has not led to an interruption of our business operations. Out of an abundance of caution, and as we continue to investigate, we recommend that you immediately rotate any credentials you use in your Sisense application.”
However, in a follow-up note, Sisense says users should change their password, replace the secret in the Basic Configuration Security section, log out all users, update sso.shared_secret, rotate the x.509 certificate, rotate client secrets (for those using OpenID) and many other updates (the full list can be found here).
The breach seems quite alarming as even the US Cybersecurity and Infrastructure Security Agency (CISA) intervened. The government body issued a warning and said it was also investigating the breach: “CISA is taking an active role in working with private industry partners to respond to this incident, especially as it affects affected organizations in the critical infrastructure sector,” the report said. “We will provide updates as more information becomes available.”
While Sisense did not share details about the nature of the breach, KrebsOnSecurity found it was likely that hackers had somehow breached the company’s Gitlab code repository. This repository contained a token or credentials that allowed them to access the company’s Amazon S3 buckets in the cloud. From there, the attackers exfiltrated terabytes of customer data, including access tokens, email passwords, and even SSL certificates.
All this came from “two trusted sources with good knowledge of the breach investigation.