Breachwire.riscent

Breach report

Sisense: a hardcoded token in the code repo unlocked terabytes of customer data

PWA & Startup BreachesCritical2024-04
The bottom lineAttackers reached Sisense's self-managed GitLab repository, found a hardcoded credential to the company's Amazon S3 buckets, and exfiltrated several terabytes of customer data including access tokens, email passwords, and SSL certificates — prompting a rare CISA warning.
Category
PWA & Startup Breaches
Type
Named incident (hardcoded secrets → cloud exfiltration)
Date
2024-04
Severity
Critical
OWASP
Web A07 Identification and Authentication Failures
CWE / CVE
CWE-798

What happened

In April 2024, analytics vendor Sisense suffered a breach that led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to publicly warn customers on April 11 to reset any credentials and secrets they had shared with the company. According to sources cited by Krebs on Security, attackers gained access to Sisense's self-managed GitLab code repository, where they found a token or credential that gave them access to Sisense's Amazon S3 buckets. From there they copied several terabytes of customer data, reportedly including millions of access tokens, email-account passwords, and even SSL certificates.

Root cause

A long-lived secret that unlocked production cloud storage was stored in source control (CWE-798, hardcoded credentials). Once an attacker reached the repo, the crown-jewels credential was sitting in plaintext — no additional barrier stood between code access and terabytes of customer data. Access tokens made the blast radius worse: they let an attacker stay authenticated for long or indefinite periods without ever needing the original password. "The code builds and runs" was satisfied; "a repo compromise does not become a cloud-storage compromise" was never enforced.

How it would have been caught

A secret-scanning pass over the repository and its full git history — failing the build on any AWS key, token, or password — flags the credential before an attacker finds it. A blast-radius review would show that one repo secret grants direct S3 read: a finding that should force the secret out of code and into a short-lived, scoped credential. The reproduction is a grep of history that returns a live cloud credential.

How to prevent it

  • Never store secrets in source. Use a secrets manager and short-lived, narrowly-scoped credentials; rotate on any suspicion.
  • Run secret scanning on every push and over history; gate merges on a clean result.
  • Segment blast radius: a repo credential should never grant broad production data access. Prefer per-service roles with least privilege.

The Breachwire test (red → green)

Run a secret scanner across the repository and its history and confirm it surfaces a working credential that authenticates to production storage — the RED proof that repo access equals data access. Remove the secret, rotate it, replace it with a short-lived scoped role, and confirm the scanner returns no live secrets and that the old credential no longer authenticates.