Imperva security incident exposes cloud WAF customer data

Details around a newly-disclosed Imperva security incident are thin, but it's clear customers will need to take significant precautions to protect themselves.

Imperva announced a data exposure impacting "a subset" of its cloud web application firewall (WAF) customers. The company learned of the issue on Aug. 20 and said that some cloud WAF customers "who had accounts through September 15, 2017" were affected.

The Imperva security incident exposed email addresses as well as hashed and salted passwords held in a customer database. The company also said "a subset" of customers had API keys and customer-provided SSL certificates exposed.

Imperva did not provide more specific numbers, and a company spokesperson said Imperva could not comment further while the investigation was ongoing.

John Adams, CEO of application security vendor Waratek, noted that the number of affected customers is likely high because Imperva is "a top three cloud WAF provider" with a substantial customer base. 

Kevin Beaumont, a security researcher based in the U.K., said on Twitter that the exposure of SSL certificates means malicious actors could potentially break end-to-end encryption in the Imperva cloud WAF.

Rich Mogull, CEO of Securosis, added on Twitter that there could be additional risks from the Imperva security incident.

Imperva top risks if attacker gets into config:
* Redirect traffic to new destination
* Whitelist attacker source IP to evade WAF
* Modify security settings
* If private cert compromised, localized MiTM/sniffing/replay decryption

— Rich Mogull (@rmogull) August 27, 2019

Imperva CEO Chris Hylen wrote in a blog post that the company has informed regulatory agencies around the world about the incident and "implemented forced password rotations and 90-day expirations in our Cloud WAF product."

Hylen also recommended users change account passwords, implement single-sign on and two-factor authentication, generate and upload new SSL certificates and reset API keys.

Adams noted that all of this will be very disruptive to Imperva customers.

"Because sensitive customer data have already been exfiltrated, Imperva's options on how to respond to re-secure itself and its users are very limited. While email addresses and/or passwords can be changed relatively easily, changing API keys and SSL certificates most likely requires all the web services that interact over those API channels to be updated and redeployed to production. That's a considerable and disruptive task," Adams wrote via email. "Once the API keys and SSL certs are out in the wild (which they are here), there's no option but to throw them away and create entirely new ones going forward."