Imperva discloses security incident affecting Cloud WAF customers

Imperva, the well-known California-based web application security company, has announced that it has suffered a “security incident” involving its Cloud Web Application Firewall (WAF) product, formerly known as Incapsula.

What happened?

The announcement is very light on details and (perhaps intentionally) vaguely worded, but these are the currently known facts:

• On August 20, 2019, a third party notified Imperva of data exposure impacting some of their customers
• Imperva’s initial investigation discovered that parts of its Incapsula customer database were exposed, including email addresses, hashed and salted passwords, API keys and customer-provided SSL certificates of a “subset” of Incapsula customers (up until September 15, 2017)
• The investigation is ongoing, they’ve called in outside forensic experts, notified the appropriate global regulatory agencies, and have begun informing impacted customers and advising them on what to do.

The company chose not to share for now:

• Who was the reporting third party
• Whether this was a data leak (e.g., a misconfigured cloud backup of the database) or whether their own networks and systems have been breached
• Why they didn’t spot the leak/breach themselves
• Whether the compromised data was discovered being sold or actively misused
• The approximate number of affected customers or
• When the breach actually happened.

It’s, of course, possible that they don’t know the answers to some of these questions yet.

The company has advised all Cloud WAF customers to change their user account passwords for it, to implement Single Sign-On (SSO), enable two-factor authentication, generate and upload a new SSL certificate, and reset API keys.

Imperva has also decided to implement forced password rotations and 90-day expirations in their Cloud WAF product.

The company is owned by private equity firm Thoma Bravo, which acquired it in 2019.