Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot. Learn more

Sisense Data Breach: What You Need to Know

The U.S. Cybersecurity and Infrastructure Agency (CISA) issued an alert warning Sisense customers of a data breach which could result in lateral movement to connected data sources.
Varonis Threat Labs
2 min read
Last updated April 19, 2024

The U.S. Cybersecurity and Infrastructure Agency (CISA) issued an alert warning Sisense customers of a data breach. The agency advised all Sisense customers to "reset credentials and secrets potentially exposed toor used to access, Sisense services" and report any suspicious activity.

Sisense's CISO echoed this message, advising customers: “Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application."

Sisense makes business intelligence products that allow customers to build custom dashboards by connecting to multiple third-party services.

IMPORTANT: The data stolen from Sisense includes credentials, tokens, and access configurations. Therefore, not only is the data stored within Sisense at risk, but data in each connected service may also be at risk. This includes cloud services such as Salesforce, Azure Blob, Amazon S3, Amazon RDS, GitHub, Google, Box, and many others.

Sisense can also establish JDBC and SSH connections to data sources on unmanaged or on-premises servers.

What does this mean for my organization?

If you are a Sisense customer, your Sisense credentials may have been compromised, giving bad actors access to data stored in your Sisense instance. Sisense has not confirmed precisely which data was stolen, and the nature of the data at risk will likely vary from customer to customer, depending on what they use Sisense for. Example dashboards include financial data, PII, customer data, HR data, and more.

Keep in mind that some Sisense integrations use OAuth and app keys to connect to third-party systems while others require a simple username and password. 

We advise Sisense customers to:

  • Reset credentials used to access Sisense products.
  • Reset credentials stored in Sisense for data integrations.
  • Limit Sisense access to integrations to Sisense IPs ( and to lower the risk of data exfiltration.
    • For self-hosted databases and SSH tunnels, limit user connections to the above IPs.
    • For cloud-hosted data sources (e.g., AWS or Azure), put a policy in place to restrict Sisense's cloud identity to act from the above IPs.
  • Search for Sisense integrations and users performing activity from IPs other than and (or other approved internal IPs) in integrated data sources and services including databases and cloud providers.
  • Look for anomalous users or resources created by Sisense integration users.
  • Review logs from at least a month back in your Sisense products, connected apps, and connected data sources.
  • Review actions performed by integration keys and credentials used for Sisense data integrations.

Sisense’s CISO sent an update to customers with a list of suggested actions (source: @marcwrogers): 

Sisense Steps
Figure 1: Screenshot of the email Sisense's CISO sent to customers with detailed instructions how to mitigate the risk of this data breach.

What happened?

There has been no confirmation by Sisense regarding how the breach happened. According to Brian Krebs, trusted sources close to the investigation indicated that the attack flow looked something like this:

  • Attacker accessed Sisense’s Gitlab instance
  • Found credentials to Sisense’s AWS account in a Gitlab repository
  • Accessed Sisense’s AWS account and downloaded multiple terabytes of S3 data including credentials, tokens, and configs


How can Varonis help?

If you are using Varonis to monitor services that are connected to Sisense such as Salesforce, AWS, Azure, Google Workspace, Box, etc., many of our existing threat models will help detect abnormal behavior stemming from malicious use of credentials stored in Sisense:

  • Abnormal service account behavior
  • Potential ticket harvesting attacks
  • Account enumeration
  • Abnormal access to sensitive and idle data
  • Unusual upload/download activity

These models also apply to customers using Varonis to monitor local resources like Linux servers, Windows machines, and Active Directory.

If you have our network monitoring product and are using Varonis' cloud-hosted offering, our Threat Labs team has already performed a threat hunt, using the Varonis logs to look for communication between your infrastructure and Sisense IP addresses and will reach out if needed.

If you are a Sisense customer and want assistance hunting for IOCs in data sources that are connected to Sisense, please reach out to our team.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

SecurityRWD - Introduction to AWS Lambda
Join Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team as they discuss AWS's serverless computing platform, Lambda. Find out what the Lambda functions allow for, see an everyday example of how it all comes together, and learn why it's so important for organizations to monitor Lambda's behavior within the entire Amazon Web Service ecosystem.
SecurityRWD - Introduction to AWS Services
Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team kick off a new series diving into the various services found under the AWS umbrella. In this video, they introduce and provide an overview of some of the core services including IAM, S3, and EC2.
Varonis Uncovers Another New Strain of the Qbot Banking Malware
Varonis has discovered and reverse engineered another new strain of Qbot, a sophisticated, well-known type of malware that collects sensitive data, such as browser cookies, digital certificate information, keystrokes, credentials, and session data from its victims to commit financial fraud.
Automate Exchange Distribution List Management
From a business perspective, distribution lists (DLs) for email communications are a powerful and well-understood concept in IT. And they are popular: Exchange admins have voted with their right-clicks, creating...