Cybersecurity company Imperva has suffered a data breach that led to the exposure of data belonging to customers of its Cloud Web Application Firewall (WAF) product.
Imperva’s Cloud WAF, previously known as Incapsula, is a security solution that is designed to help businesses protect their cloud services "against known and unknown threats, including all OWASP top 10 and zero-day threats".
Yesterday, however, Imperva’s President and Chief Executive Officer, Chris Hylen, revealed in a blog post that the company learned about the data exposure from a third party on 20th August 2019, which impacts a subset of the Cloud WAF product who had accounts through 15th September 2017. Among the information that was leaked from the affected Incapsula customer database include customer email addresses, hashed and salted passwords, and for a “subset” of users, API keys and customer-provided SSL certificates.
While Imperva did not reveal details of the disclosure, the company gave assurance that the security breach has only affected customers of its cloud WAF and not other products. Nevertheless, such security failures could be quickly leveraged by opportunistic attackers to cause significant damage to affected customers. In the case of Imperva, who’s one of the biggest Web-based firewall providers around, we wonder how small that number actually is.
According to the founder of cloud security firm DisruptOps, Rich Mogull, who shared his comments on Krebs on Security, a threat actor that has access to a customer’s API keys and SSL certificates could use that access to “significantly undermine the security of traffic flowing to and from a customer’s various Web sites.”
Threat actors could also could for instance exempt or “whitelist” their own traffic to and from a customer’s various web sites, and in the worst-case scenario, “intercept, view or modify traffic destined for an Incapsula client web site, and even to divert all traffic for that site to or through a site owned by the attacker.”
Imperva is continuing to investigate the incident and has taken steps to remediate the situation, including informing the appropriate global regulatory agencies and impacted customers, engaging outside forensics experts and implementing forced password rotations and 90-day expirations in their Cloud WAF product.
The company also recommends that customers take the following security measures as a matter of good practice:
We do commend how open and transparent Imperva has been in the disclosing and handling of this security incident, and we hope that this becomes standard practice for businesses especially in the era of regulations like GDPR. The breach also shows that as businesses continue to hand over greater trust to tech vendors, they are by no means impervious to such security missteps, even for a cybersecurity firm like Imperva.