by [@briankrebs](https://infosec.exchange/@briankrebs)
Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company’s Gitlab code repository, and in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets in the cloud.
Customers can use Gitlab either as a solution that is hosted in the cloud at Gitlab.com, or as a self-managed deployment. KrebsOnSecurity understands that Sisense was using the self-managed version of Gitlab.
Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.
The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers.
It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards.
https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/
Dan Goodin /
npub1z3…8qvzu
2024-04-12 16:42:54
Author Public Key
npub1z3lwfekw80j4ngzg6ky3ks202xr6uwnd4jttxzsd4euc9l55euvq48qvzuPublished at
2024-04-12 16:42:54Event JSON
{
"id": "49aa7260a5fc5960a8b53e632b8348d339c89be42fb4df065bef2cf0e70ef4bf",
"pubkey": "147ee4e6ce3be559a048d5891b414f5187ae3a6dac96b30a0dae7982fe94cf18",
"created_at": 1712940174,
"kind": 1,
"tags": [
[
"p",
"662250ce4d037de109a64a6a0230f7899f922b76346388b3e7ca06fe9490358d"
],
[
"proxy",
"https://infosec.exchange/users/dangoodin/statuses/112259247299866261",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/dangoodin/statuses/112259247299866261",
"pink.momostr"
]
],
"content": "by [@briankrebs](https://infosec.exchange/@briankrebs) \n\nSisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company’s Gitlab code repository, and in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets in the cloud.\n\nCustomers can use Gitlab either as a solution that is hosted in the cloud at Gitlab.com, or as a self-managed deployment. KrebsOnSecurity understands that Sisense was using the self-managed version of Gitlab.\n\nBoth sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.\n\nThe incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers.\n\nIt is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards.\n\nhttps://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/",
"sig": "0927981eb8c8315af885afef8576963c849d979a32356e00128fe7002fa13692b53b6aaf5ef8dda328b757f56b86a743222c059ad0cf6b3a195d406018d48aaf"
}