Update on Oct. 11 9:30 AM IST: Imperva has published a detailed post-mortem of a security breach it disclosed two months ago. The firm blamed it on a botched cloud migration of its customer database that began in 2017, as a result of which a snapshot of the database used for testing purposes was left accessible from the internet.
This AWS database instance contained an API key that was stolen to access the data in the test snapshot, the company said.
Imperva, however, didn’t provide exact dates for when these events happened. So, it’s hard to ascertain for how long the hacker had access to this database server.
“We have not found any malicious behavior targeting our customers (logins, rule changes, etc.) and have implemented procedures to continue monitoring for such activity,” the company’s CTO Kunal Anand said. The original story follows.
You know it’s a bad day for cybersecurity when a leading provider of internet firewall services that helps safeguard websites from malicious attacks suffers from a security breach of its own.
Imperva, a popular California-based security vendor of data and application security solutions, disclosed that information belonging to an unspecified subset of users of its cloud firewall product was exposed online.
The breach, to which it was alerted via an unnamed third party on August 20, included email addresses, hashed and salted passwords, API keys, and SSL certificates of a fraction of its customers registered through September 15, 2017.
Imperva’s Cloud Web Application Firewall (WAF) — formerly called Incapsula — scans incoming web traffic for any malicious activity such as SQL injection and denial-of-service attacks, and blocks them from reaching their intended destination.
Earlier this January, it was acquired by private equity firm Thoma Bravo for $2.1 billion, adding to the latter’s cybersecurity portfolio comprising of DigiCert, Imprivata, Barracuda Networks, LogRhythm, McAfee, and Veracode.
While Imperva continues to engage forensics experts, it hasn’t disclosed how or when the leak happened citing an ongoing investigation. It’s not immediately clear if any of the exposed data has been accessed by other third parties — outside of the party that found the breach, that is.
In the wake of the incident, the firm has implemented forced password resets and a 90-day password expiration policy for the product.
Assuming threat actors are in possession of the keys, it could allow them to intercept web traffic destined for a client website, and possibly even divert the traffic to a site owned by the attacker.
So, it’s crucial that Cloud WAF customers change their account passwords, implement single sign-on, enable two-factor authentication, generate and upload new SSL certificate, and reset their API keys.