Imperva Firewall Breach Exposes Customer API Keys, SSL Certificates

imperva cloud waf breach

The issue impacts users of the vendor’s Cloud WAF product.

UPDATE

Imperva, the security vendor, has made a security breach public that affects customers using the Cloud Web Application Firewall (WAF) product.

Formerly known as Incapsula, the Cloud WAF analyzes requests coming into applications, and flags or blocks suspicious and malicious activity.

Users’ emails and hashed and salted passwords were exposed, and some customers’ API keys and SSL certificates were also impacted. The latter are particularly concerning, given that they would allow an attacker to break companies’ encryption and access corporate applications directly.

“Losing SSL certificates and API access to an enterprise network is concerning. Secure web gateways, firewalls, intrusion detection and prevention systems, and data loss prevention (DLP) products all perform some form of SSL intercept and decryption to perform DPI,” said Chris Morales, head of Security Analytics at Vectra, speaking to Threatpost.

Imperva has implemented password resets and 90-day password expiration for the product in the wake of the incident.

Imperva said in a website notice that they learned about the exposure via a third party on August 20. However, the affected customer database contained old Incapsula records that go up to Sept. 15, 2017 only.

https://twitter.com/GossiTheDog/status/1166366103251103747

“We profoundly regret that this incident occurred and will continue to share updates going forward,” Imperva noted. “In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

Imperva also said that it “informed the appropriate global regulatory agencies” and is in the process of notifying affected customers directly.

When asked for more details (such as if this is a misconfiguration issue or a hack, where the database resided and how many customers are affected), Imperva told Threatpost that it is not able to provide more information for now.

“While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks,” Morales told Threatpost.

he added, “As a security vendor, I know our own industry must practice the same vigilance we preach. Even then, we must assume a breach can occur and be prepared to respond before information is stolen that can impact our clients.”

This story was updated Aug. 28 at 11:15 a.m. to include third-party researcher reaction from Vectra.

 Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles