Millions of credentials and thousands of companies could be compromised by the recent cyber-attack on Sisense, a business analytics software company whose clients make up a who’s-who of the business world, according to CyberScoop.

The breach may have exposed hundreds of Sisense’s customers to a software supply chain attack and provided the attacker with a door into the company’s customer networks, the news outlet said.

The  U.S. Cybersecurity and Infrastructure Security Agency (CISA) April 11 warned  companies to reset credentials and secrets potentially exposed to, or used to access, Sisense services, and to report to CISA any suspicious activity involving credentials exposed to or used to access Sisense services.

It’s also not yet clear how many companies are at risk, whether the attackers accessed Sisense customer networks, nor who carried out the attack.  

“This highlights the continued interest by malicious attackers when it comes to targeting widely used software products and suppliers including those used by critical infrastructure entities. Attackers continue to realize the value in focusing on software suppliers rather than targeting a single organization,” said Chris Hughes, chief security advisor at supply chain security company, Endor Labs. “They can attack a large software supplier or open-source project and have a massive downstream impact across the entire software ecosystem. The software supply chain remains the soft underbelly of the digital environment.”

“Organizations need to start taking a hard look at their software suppliers and ensuring that those suppliers are part of their broader security program and integrated into key activities such as cybersecurity supply chain risk management and third party risk,” continued Hughes, who is also Cyber Innovation Fellow at CISA, where he focuses on supply chain security.

In a statement, Sisense said it was aware of the matter and promptly started an investigation. “Due to the ongoing nature of the investigation, the company has no further comment at this time. Sisense takes security very seriously, and we remain committed to our customers.”

According to Bloomberg, Sisense lists customers on its website including Verizon, Nasdaq and Air Canada. A Nasdaq spokesperson declined to comment, and the other companies didn’t immediately respond to request for comment.

The compromise was earlier reported by the security journalist Brian Krebs.