Man typing on a keyboard laptop showing CISA alert for password compromise

Sisense Password Compromise Triggers a CISA Alert Requiring Credentials Reset

A CISA alert has directed Sisense customers to reset their account login credentials, secrets, and tokens after a password compromise impacted the business intelligence and data analytics company.

Founded in 2004, Sisense provides analytics software to over 2,000 major companies across sectors, including healthcare, manufacturing, airlines, telecommunications, and technology. Notable Sisense customers include Verizon, Air Canada, Hive, and Nasdaq.

The company relies on passwords, security keys, and tokens to access its clients’ data, suggesting that customers’ sensitive information is at risk of unauthorized access.

Sisense password compromise triggers a CISA alert

Highlighting the risk posed by Sisense’s password compromise, the Cybersecurity and Infrastructure Security Agency (CISA) said it was working with other industry players to respond to the breach.

“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,” the CISA alert disclosed.

The CISA alert urged Sisense customers to “reset credentials and secrets potentially exposed to, or used to access Sisense services,” and report any suspicious activity involving the use of compromised credentials.”

While the CISA alert provided little information about the password compromise, Sisense hasn’t also publicly acknowledged the password compromise.

However, Sisense has internally acknowledged the breach, according to an email that independent cybersecurity journalist Brian Krebs published, stating the company was aware of its customer data circulating on the dark web.

“We are aware of reports that certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet,” said Sisense.

The company also said it launched an investigation and engaged “industry-leading experts” to assist, although the incident had not caused any disruptions.

Sisense also urged its customers to promptly “rotate any credentials that you use within your Sisense application” out of an abundance of caution.

Millions of Sisense credentials at risk and potential supply chain attacks

Sisense has released another statement listing the compromised credentials. They include single sign-on (SSO) secrets such as SSO JWT, SSO SAML, and OpenID, and non-SSO creds, my.sisense.com portal passwords, customer database credentials, Active Directory/LDAP username and password for AD synchronization, GIT authentication, Web Access Tokens, Custom email server credentials, B2D secrets, among others.

Although the CISA alert and Sisense’s statement did not disclose the scope of the password compromise, security experts estimated that millions of credentials were at risk.

Given that some of Sisense’s clients, like Hive, serve high-profile downstream customers like Starbucks, Uber, and IBM, there is a possibility of supply chain attacks stemming from the Sisense password compromise.

“The widespread usage of Sisense by large companies across a wide variety of industries amplifies the scope and severity of the reported unauthorized access into Sisense’s systems,” said Patrick Tiquet, Vice President of security & architecture at Keeper Security. “Attackers may seek to exploit their access to further infiltrate the connected networks of Sisense’s customers, creating a ripple effect down the supply chain.”

So far, none of the impacted company’s customer infrastructure has reported any data breaches. However, customers should embark on a threat-hunting mission and search for any suspicious activity, given the extent of the breach.

“The details around the Sisense breach are unknown, however, my recommendations for action would be to change passwords of any Sisense accounts, reset API keys used for services associated with Sisense, and look for any unusual activity from April 5 onwards,” said Jason Soroko, Senior Vice President of Product at Sectigo.

Meanwhile, the identity of the threat actor behind the Sisense password compromise remains a mystery, and there is no word on whether an insider threat was involved.

Seemingly, the CISA alert and the company’s statement are trying to withhold as many details as possible, suggesting that the breach was significant.

“The fact that the Cybersecurity Infrastructure and Security Agency (CISA) issued an advisory today regarding the Sisense data breach is ominous at best, as the overall fog that many of us experience from reading about impactful data breaches and cyber-attacks daily can be overwhelming,” said Sean Deuby, Principal Technologist at Semperis.

Sisense has not disclosed the steps it took to prevent similar incidents but has assured its customers that it gives “paramount importance to security.”