Cyber Incident Victim: Imperva

On August 27, 2019, Imperva, a California-based cybersecurity firm specializing in web application firewall (WAF) services, disclosed a data breach impacting customers of its cloud-based Incapsula WAF product. The company learned of the incident on August 20, 2019, via third-party notification, revealing unauthorized access to elements of its Incapsula customer database from September 15, 2017, or earlier. Exposed information included email addresses and hashed-and-salted passwords for affected Cloud WAF accounts. For a subset of these customers, API keys and customer-provided SSL certificates were also compromised. Imperva clarified the breach exclusively affected its Cloud WAF product infrastructure, with no evidence suggesting broader system compromise beyond the 2017 dataset. The Incapsula service routes client website traffic through its systems to filter malicious activity before forwarding legitimate traffic, positioning Imperva as a critical security layer for numerous organizations.

The exposure of API keys and SSL certificates created significant operational risks, as attackers could manipulate WAF security settings to bypass protections or intercept website traffic. Security experts indicated compromised API keys might enable attackers to whitelist malicious traffic sources, disable security controls, or redirect traffic to attacker-controlled destinations. SSL certificate access raised concerns about potential decryption or modification of encrypted communications destined for client sites. Imperva responded by instructing all Cloud WAF customers to reset account passwords, enable multi-factor authentication, regenerate API keys, and replace SSL certificates. The company emphasized ongoing investigation but provided no details regarding breach methodology or attacker identity. Third-party analysts highlighted the severity of credential exposure at a security-as-a-service provider, noting such incidents undermine fundamental trust in critical infrastructure guardians.