Security firm Imperva says that the API keys and SSL certificates of some of the customers who use the company’s Cloud Web Application Firewall were exposed in a recent breach, along with the email addresses and hashed passwords of a larger group of customers.
The company became aware of the breach on August 20 when a third party informed company officials of the problem. The data exposure only affects customers of the Cloud WAF product, which was formerly known as Incapsula, and is limited to customers who had accounts through about two years ago.
“On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017,” said Chris Hylen, CEO of Imperva.
“We profoundly regret that this incident occurred and will continue to share updates going forward. In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. Imperva will not let up on our efforts to provide the very best tools and services to keep our customers and their customers safe.”
Though the exposure of customer email addresses and hashed and salted passwords is problematic, the much larger issue is the exposure of the API keys and SSL certificates. With those in hand, an attacker would privileged access to the target customer’s Cloud WAF installation. That access could allow the attacker to modify rules on the WAF to allow his own traffic or that of other attackers through.
As part of the response to the breach, Imperva officials have forced password resets for all of the affected customers and encouraging them to enable two-factor authentication on their accounts. The 2FA options that Imperva provides include getting passcodes through email or SMS, or using the Google Authenticator app.
The Imperva Cloud WAF is one of a handful of enterprise-class WAFs that are designed to provide protection from web-based attacks through a cloud-based implementation.