Decipher File · Pre-April 2024 compromise, April 11 CISA advisory and customer notifications
Sisense BI Breach (Apr 2024): CISA Emergency Advisory Forces Mass Credential Rotation
On April 11, 2024 CISA issued an emergency advisory directing Sisense customers to immediately reset credentials and secrets shared with Sisense, after a confirmed cybersecurity event at the business intelligence vendor. Sisense customers, including Fortune 500 companies and federal agencies, had loaded database credentials, API keys, and cloud service credentials into Sisense for connecting to source data systems. The compromise of those stored credentials gave the actor potential access to downstream customer data systems. Independent security researcher Brian Krebs first reported the incident on April 11, 2024 and Sisense issued internal customer notifications. The incident produced one of the most consequential BI-vendor credential disclosure events in the industry's history, with downstream customer credential rotation work running for weeks.
Incident summary
On April 11, 2024 CISA issued an emergency advisory directing customers of Sisense, a business intelligence and analytics platform vendor, to immediately reset all credentials and secrets that had been provided to Sisense for connection to customer data sources. Sisense customers had loaded credentials including database passwords, API keys, OAuth tokens, and cloud service credentials into Sisense's platform for the BI tool to connect to and query source data systems. The CISA advisory characterized the credentials as potentially compromised and required immediate rotation across all affected customer environments.
The advisory followed customer notifications that Sisense had begun issuing on April 10, 2024 confirming a cybersecurity event affecting the company's infrastructure. Independent security researcher Brian Krebs published a public report on April 11, 2024 with additional technical detail, including indications that the initial access vector involved compromise of Sisense's self-managed GitLab repository containing customer connection credentials. Sisense did not formally name the initial vector in its customer communications, but the CISA advisory's specific direction to rotate credentials stored with Sisense was consistent with a credential-store compromise scenario.
Sisense's customer base included Fortune 500 enterprises across financial services, healthcare, technology, retail, and other sectors, plus federal civilian agencies. The CISA advisory's framing as an emergency advisory, combined with the federal customer scope, produced a coordinated cross-sector credential rotation event that ran for weeks. Customer rotation work covered credentials for Snowflake, Amazon Redshift, Google BigQuery, MySQL, PostgreSQL, AWS, Azure, GCP, Salesforce, and dozens of other source systems that customer environments had connected to Sisense. The cumulative customer-side remediation cost has not been publicly disclosed but was significant.
Attack technique
Per Krebs on Security's April 11, 2024 reporting, the suspected initial access vector was a compromise of Sisense's self-managed GitLab repository. The repository stored customer connection credentials in a form accessible to an actor who obtained read access to the repository. The exact technical detail of how the GitLab compromise occurred was not publicly disclosed by Sisense or by Krebs's source, but the downstream consequence was clear: an actor with access to Sisense's credential storage could enumerate customer-supplied credentials for source data systems and use those credentials to attempt direct access to customer databases, APIs, and cloud services.
The technique chain represents a structural risk pattern in modern SaaS vendor architectures. BI platforms, ETL platforms, data integration platforms, and equivalent vendor-managed analytics tools commonly require customers to provide credentials for source systems. The vendor stores those credentials and uses them on the customer's behalf to query source data. The credential-storage practice is operationally necessary for the product to function. The structural risk is that a compromise of the vendor's credential storage exposes all customer source systems whose credentials are stored. This pattern is operationally analogous to the SolarWinds Sunburst risk pattern, where compromise of a single vendor produced exposure across the vendor's customer base.
Customer-side credential rotation following the CISA advisory was operationally complex. Rotating a database password is straightforward in isolation. Rotating credentials shared with a BI vendor requires identifying every Sisense dashboard, every Sisense data model, every Sisense schedule and trigger, and every Sisense user that depends on those credentials, then updating each dependent object after the rotation. Customers that had not maintained current credential dependency inventories spent the first several days of the rotation work simply discovering what depended on each credential. The post-incident customer work also included broader review of credential storage with all vendors, not just Sisense.
Whether the actor used the harvested credentials for downstream customer system access has not been comprehensively disclosed. The CISA advisory was issued as a precautionary measure given the credential exposure, not necessarily because of confirmed downstream access events. Customer-side forensic review through April and May 2024 produced a small number of confirmed downstream access events at named Sisense customers, but the broader scope of downstream impact, if any, was not publicly aggregated.
Impact and consequences
Customer-side credential rotation cost was the dominant impact. The cumulative effort across hundreds to thousands of Sisense customer environments, each rotating credentials for tens to hundreds of source systems, produced a substantial enterprise security operations cost. Larger Fortune 500 Sisense customers reported credential rotation projects running 200 to 500 person-hours each. Federal agency rotation work, per the CISA advisory, ran in parallel with similar effort levels per affected agency. The total cumulative cost across the customer base has not been publicly aggregated but is in the tens of millions of dollars range based on the per-customer figures.
Sisense's own business impact was material but bounded. The company continued operations through the incident and into 2025, but customer trust impact, contractual renegotiations, and competitive losses to alternative BI platforms including Tableau, Power BI, Looker, ThoughtSpot, and Domo were reported in trade press through 2024. Sisense's specific revenue impact has not been publicly disclosed since the company is private and does not publish detailed financial reporting. The reputational impact on Sisense was significant within the BI and analytics market.
The broader market consequence affected the BI vendor category as a whole. Customer-side audits of BI vendor credential storage following the Sisense incident produced renewed scrutiny of how vendors stored, encrypted, and accessed customer-supplied credentials. Sisense competitors including Tableau and Power BI received customer requests for detailed credential storage architecture disclosures. Some customers shifted to architectures where the BI vendor did not store source credentials directly, instead using customer-managed credential vault integrations, customer-managed Kubernetes service connectivity, or read-replica architectures that did not require vendor-side credential storage for production data.
Regulatory consequence followed in narrow but specific ways. CISA's emergency advisory was the first CISA emergency advisory issued specifically about a SaaS vendor compromise of customer credentials, as distinct from the more common pattern of vendor product vulnerabilities. The advisory's framing and the subsequent CISA guidance through 2024 on vendor credential storage informed broader CISA and OMB guidance on federal agency SaaS vendor risk management. The incident also informed ongoing FedRAMP authorization process changes through 2024 and 2025 specifically addressing vendor-side credential storage architectures.
Indicators of Compromise
Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.
- › CISA emergency advisory of April 11, 2024 directing Sisense customer credential rotation across stored database, API, and cloud credentials
- › Sisense customer notifications issued April 10 and April 11, 2024 confirming the cybersecurity event
- › Unauthorized access to Sisense internal infrastructure that stored customer-supplied source-system credentials
- › Sisense Gitlab self-managed repository compromise reported in security industry analysis as the suspected initial vector
- › Use of valid customer-supplied database and cloud credentials harvested from Sisense storage to attempt downstream customer system access
- › Customer-side credential rotation work spanning Snowflake, Redshift, BigQuery, MySQL, PostgreSQL, AWS, Azure, and GCP across affected enterprises
Lessons for defenders
Vendor credential storage is a structural risk that requires architecture-level mitigation, not just policy-level review. The Sisense incident illustrated that any SaaS vendor storing customer credentials creates a single point of compromise that can expose all of the customer's source systems. Architectural mitigations include customer-managed credential vault integrations where the credentials never leave the customer's environment, customer-managed connectivity architectures including PrivateLink and equivalent cloud-private networking, and read-replica architectures where vendor connectivity uses replica-specific credentials that limit damage if compromised. Evaluate every SaaS vendor relationship for the credential storage risk pattern.
Credential dependency inventory is operationally necessary for rapid rotation. Customers without current credential dependency inventories spent the first several days of the Sisense rotation work simply discovering what depended on each credential. Build and maintain credential dependency inventories before the first incident: for each credential, document where it is used, which dependent systems reference it, and what testing is required after rotation. The inventory can be maintained in a configuration management database (CMDB), in a dedicated secret management platform (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager), or in lightweight enterprise documentation tooling.
Pre-planned credential rotation playbooks for SaaS vendor incidents are now a baseline incident response control. The Sisense incident, the AT&T-Snowflake incident, the Okta support system incident, and the Microsoft Midnight Blizzard incident all required customer-side credential rotation following vendor-disclosed events. The playbook content includes vendor inventory, credential inventory per vendor, rotation sequence, dependent system updates, verification that old credentials are no longer accepted, and post-rotation monitoring for attempted use of rotated credentials. Build the playbook now, exercise it in tabletop drills, and refine it before the first vendor incident.
CISA emergency advisory readiness should be a defined incident-response activation criterion. The Sisense advisory was the first CISA emergency advisory issued specifically about a SaaS vendor credential compromise, and it produced rapid customer-side action requirements. Build into your incident response plan a defined activation pattern for the case where a CISA advisory affects your environment: who monitors CISA advisories, how the advisory's content is assessed against your environment, what activation level the advisory triggers, and what the rapid response sequence looks like. Federal agencies have these procedures defined; private-sector organizations should as well.
Related career roles
The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.
Related Decipher Files
Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →
Frequently asked questions
What happened in the Sisense breach?
On April 11, 2024 CISA issued an emergency advisory directing Sisense customers to immediately reset credentials and secrets shared with Sisense, after a confirmed cybersecurity event at the BI vendor. Sisense customers had loaded database credentials, API keys, OAuth tokens, and cloud service credentials into Sisense's platform for source-system connectivity. The compromise of Sisense's credential storage gave the actor potential access to downstream customer data systems. Customer-side credential rotation work ran for weeks across affected Fortune 500 enterprises and federal agencies.
How did the Sisense breach happen?
Per Krebs on Security's April 11, 2024 reporting, the suspected initial access vector was a compromise of Sisense's self-managed GitLab repository that stored customer connection credentials. The exact technical detail of how the GitLab compromise occurred was not publicly disclosed by Sisense, but the CISA advisory's specific direction to rotate credentials stored with Sisense was consistent with a credential-store compromise scenario. The actor would have been able to enumerate customer-supplied credentials and use them to attempt direct access to customer databases, APIs, and cloud services.
Why did CISA issue an emergency advisory about Sisense?
The CISA emergency advisory of April 11, 2024 reflected the federal agency customer scope of Sisense and the severity of the credential exposure pattern. Sisense customers included federal civilian agencies that had stored credentials with the BI vendor for source-system connectivity. The advisory directed immediate credential rotation across all affected customer environments as a precautionary measure, given the credential exposure. It was the first CISA emergency advisory issued specifically about a SaaS vendor compromise of customer credentials.
What credentials had Sisense customers stored with the vendor?
Sisense customers had loaded credentials for the source systems that Sisense connected to for analytics queries. Categories included database passwords for Snowflake, Amazon Redshift, Google BigQuery, MySQL, PostgreSQL, and equivalent databases; API keys and OAuth tokens for Salesforce, Workday, NetSuite, and other SaaS applications; and cloud service credentials for AWS, Azure, and GCP source data services. Customer-side rotation work covered dozens of source system categories per customer environment.
What did Sisense customers have to do after the breach?
Per the CISA advisory, Sisense customers had to immediately rotate every credential and secret that had been stored with Sisense, then identify every Sisense dashboard, data model, schedule, and dependent integration that referenced those credentials and update each one after the rotation. Customers that had not maintained current credential dependency inventories spent the first several days simply discovering what depended on each credential. Larger Fortune 500 customers reported credential rotation projects running 200 to 500 person-hours each.
Were Sisense customer data systems actually compromised?
Whether the actor used the harvested credentials for downstream customer system access has not been comprehensively disclosed. The CISA advisory was issued as a precautionary measure given the credential exposure, not necessarily because of confirmed downstream access events. Customer-side forensic review through April and May 2024 produced a small number of confirmed downstream access events at named Sisense customers, but the broader scope of downstream impact, if any, was not publicly aggregated across the full customer base.
What can other organizations learn from the Sisense breach?
Vendor credential storage is a structural risk that requires architecture-level mitigation, including customer-managed credential vault integrations, customer-managed connectivity architectures like PrivateLink, and read-replica architectures where vendor connectivity uses limited-scope credentials. Credential dependency inventory is necessary for rapid rotation and must be maintained before the first incident, not improvised during it. Pre-planned credential rotation playbooks for SaaS vendor incidents are now a baseline incident response control. CISA emergency advisory readiness should be a defined incident-response activation criterion.
Sources
- CISA Alert on Sisense Compromise · CISA's April 11, 2024 alert directing immediate Sisense customer credential rotation
- Krebs on Security: Why CISA Is Warning CISOs About a Breach at Sisense · Brian Krebs's April 11, 2024 reporting that broke the public scope of the incident
- Sisense Customer Communications and Status Updates · Sisense's public security communications page maintained through and after the incident
- Wall Street Journal: CISA Warns Sisense Customers to Rotate Credentials · WSJ April 12, 2024 reporting on the federal customer impact and rotation directive
- Forrester Analysis: Sisense Breach Highlights BI Vendor Credential Risk · Forrester analyst commentary on the structural BI-vendor credential storage risk
- Reuters: Sisense Cybersecurity Incident and Customer Impact · Reuters reporting on the scope of customer impact and ongoing investigation
DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.
This role lives inside a packaged path
Want the curriculum, comp delta, and recommended courses for this role?
DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:
Where to go next
Three next steps depending on where you are. The first two are free.
Free · 2 minutes
Start with the AI Risk Score
Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.
Start the AI Risk Score →Paid program · $147-$597
Aligned course: SOC Analyst Fundamentals
Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.
View the course →Free account
Save your results and track progress
A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.
Create your account →Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.