Imperva Notifies Cloud WAF Customers of Security Incident

California-based cybersecurity firm Imperva revealed on Tuesday that it recently learned of a security incident affecting some customers of its Cloud Web Application Firewall (WAF) product, formerly known as Incapsula.

According to Imperva CEO Chris Hylen, the company learned of the incident on August 20, 2019, from a third party. An investigation is ongoing, but Imperva has so far determined that Cloud WAF customers who had accounts through September 15, 2017, are affected.

The exposed Incapsula customer database stored email addresses, hashed and salted passwords, and, in some cases, API keys and customers’ SSL certificates.

It’s unclear how many customers are affected and if the data was exposed as a result of a malicious attack or due to some kind of misconfiguration.

Imperva has highlighted that the incident only impacts its Cloud WAF product and affected customers are being informed directly.

In response to the incident, the company has hired outside forensics experts to assist with the investigation, informed global regulator agencies, and implemented forced password rotations and 90-day expirations for the Cloud WAF product.

“We profoundly regret that this incident occurred and will continue to share updates going forward. In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry,” Hylen said.

Imperva acquired cloud-based website performance and security service Incapsula in 2014. Incapsula was a majority owned subsidiary even before the acquisition.

“Losing SSL certificates and API access to an enterprise network is concerning. Secure web gateways, firewalls, intrusion detection and prevention systems, and data loss prevention (DLP) products all perform some form of SSL intercept and decryption to perform DPI,” Chris Morales, Head of Security Analytics at Vectra, told SecurityWeek. 

“While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks.

“As a security vendor, I know our own industry must practice the same vigilance we preach. Even then, we must assume a breach can occur and be prepared to respond before information is stolen that can impact our clients,” he added.

Related: Russian Hackers Claim Breach of Three U.S. Anti-Virus Companies

Related: Researchers Claim They Bypassed Cylance’s AI-Based Antivirus

Related: Attack on Software Firm Was Sophisticated, Highly Targeted