Imperva suffers security incident impacting cloud (WAF) users

• The data exposure has impacted a subset of customers of its WAF product who had accounts registered up until September 15, 2017.
• The exposed Incapsula customer database included email addresses and hashed and salted passwords.

What happened?

Cybersecurity firm Imperva suffered a data breach incident impacting the users of its Cloud Web Application Firewall (WAF) product, previously known as Incapsula.

What is the impact?

Imperva learned about the data exposure on August 20, 2019, from a third party.

• The data exposure has impacted a subset of customers of its WAF product who had accounts registered up until September 15, 2017.
• The exposed Incapsula customer database included email addresses and hashed and salted passwords.
• A few Incapsula customers also had their API keys and customer-provided SSL certificates exposed.

What actions are being taken?

• Upon learning about the incident, Imperva’s internal data security response team launched an investigation to determine how this exposure occurred.
• Imperva has reported the incident to the appropriate global regulatory agencies and has notified all the impacted customers.
• The cybersecurity firm has engaged third-party forensic experts and has implemented forced password rotations and 90-day expirations in its Cloud WAF product.

What should you do?

Imperva has requested its customers to implement certain preventive measures such as:

• Reset user account passwords for Cloud WAF, implement Single Sign-On (SSO), and enable two-factor authentication.
• Generate and upload a new SSL certificate and reset API keys.

“We profoundly regret that this incident occurred and will continue to share updates going forward. In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. Imperva will not let up on our efforts to provide the very best tools and services to keep our customers and their customers safe,” Imperva said in a security notice.