By The Integrity360 Team on August 28, 2019

Imperva Advisory Alert

Breaches, Alerts & Advisories

Imperva's Cloud Web Application Firewall (WAF)  hacked

Cloud security specialist Imperva says its Cloud Web Application Firewall (WAF) product has been hacked, with a “subset” of customers’ API keys and SSL certificates stolen in the attack which was discovered on August 20.

The Redwood Shores, California-based firm says the breach was disclosed to it by a third-party. The company has yet to reveal details of that disclosure. 

Imperva’s WAF was previously known as Incapsula. The company describes it as “a key component of Imperva’s market-leading, full stack application security solution which brings defense-in-depth to a new level.”

Imperva has not disclosed which customers were affected by the incident.

CEO Chris Hylen wrote: “We want to be very clear that this data exposure is limited to our Cloud WAF product… Elements of our Incapsula customer database through September 15, 2017 were exposed. These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates.”

Imperva Hacked: “Profoundly Regrets” Incident

Rich Mogull, founder of cloud security firm DisruptOps told Brian Krebs that stolen customer API keys and SSL certificates could, in a worst case scenario, allow an attacker “to intercept, view or modify traffic destined for an Incapsula client web site, and even to divert all traffic for that site to or through a site owned by the attacker.”

He added: They could modify any of the security Incapsula security settings, and if they got [the target’s SSL] certificate, that can potentially expose traffic. For a security-as-a-service provider like Imperva, this is the kind of mistake that’s up there with their worst nightmare.”

Imperva’s CEO told customers: “We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

Imperva has “implemented forced password rotations and 90-day expirations in our Cloud WAF product” he wrote today. (Critics may note that this is shutting the stable door after the horse has bolted and given the prevalence of credential stuffing/password re-use, may have been wise to implement earlier…)

The company says it is encouraging customers to:

Please click below for the latest update from Imperva: