Cybersecurity company Imperva today disclosed a data breach that impacts certain customers of its Cloud Web Application Firewall (WAF) product who had accounts through Sept. 15, 2017.
The breach exposed email addresses, hashed and salted passwords, and, for a subset of customers, API keys and customer-provided SSL certificates. In a company blog post, Imperva says it first became aware of the incident on Aug. 20. Additional details pertaining to the nature of incident, including the cause and the number of individuals impacted, were not revealed in the announcement.
In response to the incident, the Redwood City, California-based firm says that it has delegated responsibilities to both an internal data security response team and outside forensics experts, and has commenced outright to global regulatory agencies as well as affected customers. It has also forced password rotations and 90-day expirations in the Cloud WAF product.
On its website, Imperva says that its Cloud WAF product, formerly known as Incapsula, "protects against all application security threats, including SQL injection, cross-site scripting (XSS) and remote file inclusion (RFI), and more... You can easily build custom WAF rules and secure your API interfaces." The product page also says that the solution provides automated virtual patching, and offers additional services including bot control, account takeover protection, backdoor protection, two-factor authentication and SIEM integration.
Imperva is recommending that Cloud WAF customers further protect themselves by changing their passwords, instituting Single Sign-On and two-factor authentication, generate and upload new SSL certificates, and reset API keys.
The news opened up Imperva to criticism from other companies that offer security solutions designed to protect cloud-based data and systems. "While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks," said Chris Morales, head of security analytics at threat detection and response company Vectra. "As a security vendor, I know our own industry must practice the same vigilance we preach. Even then, we must assume a breach can occur and be prepared to respond before information is stolen that can impact our clients."
"Data breaches will inevitably happen. In this case it appears that the primary information that was breached was email address (presumably the user id) and salted password," said Jim Reavis, CEO of the Cloud Security Alliance. "Given that this is a credential theft, the biggest lesson learned is the utility of multi-factor authentication. Strong authentication renders this type of breach inconsequential, as the attacker can do nothing without access to the second factor."