Imperva Breach Exposed API Keys, SSL Certs For Some Firewall Users

A portion of Imperva’s customer base had their API keys, customer-provided SSL certificates, email addresses, and hashed and salted passwords revealed in the breach, which was discovered last week.

Imperva told customers Tuesday that a recent data breach revealed email addresses, hashed passwords, API keys and SSL certificates for some Web Application Firewall (WAF) users.

The Redwood Shores, Calif.-based cybersecurity vendor learned of the breach Aug. 20, 2019, and said it affected a portion of its Incapsula Cloud WAF customers who had accounts through Sept. 15, 2017.

A subset of Incapsula users through Sept. 15, 2017, had their API keys and customer-provided SSL certificates exposed, according to Imperva. In addition, Imperva said email addresses as well as hashed and salted passwords in the Incapsula customer database were also revealed.

[Related: Imperva To Buy Distil Networks To Bolster Bot Management]

"We want to be very clear that this data exposure is limited to our Cloud WAF product," Imperva President and CEO Chris Hylen wrote in a blog post. "We profoundly regret that this incident occurred and will continue to share updates going forward."

Imperva said it's informing all affected customers directly and sharing the steps the company is taking to safeguards their accounts and data, according to Hylen. In addition, the company said it has implemented forced password rotations and 90-day expirations for its Cloud WAF product.

The company said it's activated its internal data security response team, and continues to investigate with the full capacity of its resources how the exposure occurred. Outside forensic experts have been engaged around the breach, Imperva said, and the company has also informed the appropriate global regulatory agencies.

Imperva recommended that customers change their user account passwords for the Incapsula Cloud WAF, implement single-on, and enable two-factor authentication. In addition, the company recommended that users reset their API keys, and generate and upload new SSL certificates.

"We continue to investigate this incident around the clock and have stood up a global, cross-functional team," Hylen said in the post. "Imperva will not let up on our efforts to provide the very best tools and services to keep our customers and their customers safe."

Imperva purchased the outstanding shares of cloud-based web application security company Incapsula in February 2014 to boost its security around external-facing production applications like online banking, online gaming, and retail applications. The company itself was taken private in a $2.1 billion acquisition by Thoma Bravo announced in October 2018.