
Imperva told customers Tuesday that a recent data breach revealed email addresses, hashed passwords, API keys and SSL certificates for some Web Application Firewall (WAF) users.
The Redwood Shores, Calif.-based cybersecurity vendor learned of the breach Aug. 20, 2019, and said it affected a portion of its Incapsula Cloud WAF customers who had accounts through Sept. 15, 2017.
A subset of Incapsula users through Sept. 15, 2017, had their API keys and customer-provided SSL certificates exposed, according to Imperva. In addition, Imperva said email addresses as well as hashed and salted passwords in the Incapsula customer database were also revealed.
[Related: Imperva To Buy Distil Networks To Bolster Bot Management]
"We want to be very clear that this data exposure is limited to our Cloud WAF product," Imperva President and CEO Chris Hylen wrote in a blog post. "We profoundly regret that this incident occurred and will continue to share updates going forward."
Imperva said it's informing all affected customers directly and sharing the steps the company is taking to safeguards their accounts and data, according to Hylen. In addition, the company said it has implemented forced password rotations and 90-day expirations for its Cloud WAF product.
The company said it's activated its internal data security response team, and continues to investigate with the full capacity of its resources how the exposure occurred. Outside forensic experts have been engaged around the breach, Imperva said, and the company has also informed the appropriate global regulatory agencies.
Imperva recommended that customers change their user account passwords for the Incapsula Cloud WAF, implement single-on, and enable two-factor authentication. In addition, the company recommended that users reset their API keys, and generate and upload new SSL certificates.
"We continue to investigate this incident around the clock and have stood up a global, cross-functional team," Hylen said in the post. "Imperva will not let up on our efforts to provide the very best tools and services to keep our customers and their customers safe."
Imperva purchased the outstanding shares of cloud-based web application security company Incapsula in February 2014 to boost its security around external-facing production applications like online banking, online gaming, and retail applications. The company itself was taken private in a $2.1 billion acquisition by Thoma Bravo announced in October 2018.
related stories
trending stories
Video
sponsored resources

Cloud PPG Showcase

100 People You Should Know Showcase

APC by Schneider Electric
IoT Platforms 360

Vertiv
Edge Computing 360

Best of Breed Showcase

Annual Report Card Showcase

NexGen Showcase

Symantec
Symantec Business Security Learning Center

ConnectWise
ConnectWise

RSA
RSA

NPD
Industry Trends 360

AT&T Cybersecurity
Cloud Security 360

Comcast
Comcast Business Learning Center

NetApp
NetApp Data Driven Learning Center

Silver Peak
Silver Peak Learning Center

BlackBerry Cylance
BlackBerry Cylance Learning Center

ID Agent
Managed Security 360

Wasabi
Wasabi

HP Inc.
HP Toner and Ink

Sophos
Sophos Cybersecurity Learning Center

Storagecraft
Disaster Recovery Learning Center

Eaton
Eaton Learning Center

Lenovo
Lenovo Learning Center

Scale Computing
Scale Computing Learning Center

SonicWall
Network Security 360

Cohesity
Cohesity Learning Center

Sherweb
Cloud Partner Programs 360

Dell EMC
Software-defined Data Center 360

Carbonite
Cloud Storage 360
Women of the Channel Showcase
