Imperva disclosed today a security incident that led data exposure affecting a subset of customers using its Cloud Web Application Firewall (previously known as Incapsula).

The data exposure incident is limited only to the Cloud WAF, according the blog post by Chris Hylen (company's President and Chief Executive Officer).

I want to share details about a security incident at Imperva that resulted in a data exposure impacting our Cloud Web Application Firewall (WAF) product, formerly known as Incapsula.
Here is what we know about the situation today:

- On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017.
- Elements of our Incapsula customer database through September 15, 2017 were exposed.

These included:
- email addresses
- hashed and salted passwords

And for a subset of the Incapsula customers through September 15, 2017:

- API keys
- customer-provided SSL certificates

We continue to investigate this incident around the clock and have stood up a global, cross-functional team.

What are the consequences?

According with KrebsOnSecurity:

Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, said Imperva is among the top three Web-based firewall providers in business today.

According to Mogull, an attacker in possession of a customer’s API keys and SSL certificates could use that access to significantly undermine the security of traffic flowing to and from a customer’s various Web sites.

At a minimum, he said, an attacker in possession of these key assets could reduce the security of the WAF settings and exempt or “whitelist” from the WAF’s scrubbing technology any traffic coming from the attacker. A worst-case scenario could allow an attacker to intercept, view or modify traffic destined for an Incapsula client Web site, and even to divert all traffic for that site to or through a site owned by the attacker.

“Attackers could whitelist themselves and begin attacking the site without the WAF’s protection,” Mogull told KrebsOnSecurity. “They could modify any of the security Incapsula security settings, and if they got [the target’s SSL] certificate, that can potentially expose traffic. For a security-as-a-service provider like Imperva, this is the kind of mistake that’s up their with their worst nightmare.”

Imperva urged all of its customers to take several steps that might mitigate the threat from the data exposure, such as changing passwords for user accounts at Incapsula, enabling multi-factor authentication, resetting API keys, and generating/uploading new SSL certificates.

Data Security

Ironically, a top product from Imperva is "Data Security": a security solution that

reduces your security and compliance risk while enabling digital transformation. It protects your data on-premises and in the cloud by discovering sensitive data, monitoring all data activity, stopping unauthorized access, uncovering risky users and suspicious actions, providing actionable security insights and masking data for non-production use

A big problem of damaged reputation, no doubt.