‘Now, more than ever, we commit to our vision, where data and applications are kept safe’

Security vendor Imperva has released a post-mortem report over a security incident that impacted the organization in August.

The data breach, announced on August 27, affected customers of its Cloud WAF, a web application firewall product.

Email addresses, hashed and salted passwords, and API and TLS keys were exposed in the breach, which the company was alerted to by an anonymous third-party.

As previously reported by The Daily Swig, Imperva immediately contacted its incident response teams upon learning of the compromised dataset, and urged customers to change user account passwords.

The incident exposed elements of customer data limited to Cloud WAF accounts prior and up to September 15, 2017. 

In a post published yesterday, the security company said that the breach was not due to any vulnerability within the Cloud WAF, or other Imperva products.

The unauthorized use of an administrative API key to access an Imperva AWS account had led to the data being exposed, the company said.

The exfiltration could be traced back to October 2018.

“I’ll start by going back to 2017 when our Cloud WAF, previously known as Incapsula, was under significant load from onboarding new customers and meeting their critical demands,” said Kunal Anand, chief technology officer at Imperva.

“That year, our product development team began the process of adopting cloud technologies and migrated to AWS Relational Database Service (RDS) to scale our user database.”

Anand said that during the company’s AWS evaluation process several steps allowed for the database to be exposed.

“These were: (1) we created a database snapshot for testing; (2) an internal compute instance that we created was accessible from the outside world and it contained an AWS API key; (3) this compute instance was compromised and the AWS API key was stolen; and (4) the AWS API key was used to access the snapshot.”

Fresh rotation

Imperva said it found no malicious activity as a result of the data exposure, and has taken steps to improve its security protocol including regular auditing, rotation of credentials, and the implementation of a VPN by default for all internal compute instances.

More than 13,000 passwords were changed and more than 13,500 SSL certificates were rotated as a result of the company’s response to the August security incident

Anand added that the breach had been a learning experience for the company, and apologized to potentially impacted customers.

“Our vision remains the same: to lead the world’s fight on behalf of our customers and their customers to keep data and applications safe from cybercriminals,” he said.

“Now, more than ever, we commit to our vision, where data and applications are kept safe.”

YOU MIGHT ALSO LIKE ModSecurity: OWASP Core Rule Set update addresses denial-of-service vulnerability