The data breach that recently affected customers of Imperva’s Cloud Web Application Firewall (WAF) occurred due to errors that happened while the company was migrating to a cloud-based database service, Imperva’s Chief Technology Officer, Kunal Anand, recently disclosed.
According to Anand, Imperva started migrating to the AWS Relational Database Service (RDS) in 2017. And a series of mistakes during this process allowed an unauthorized party to steal an administrative API key for one of Imperva’s product Incapsula, the firm’s cloud Web Application Firewall (WAF).
Anand stated that after the investigation with its internal security teams and outside forensics specialists, it identified that unauthorized use of an administrative API key in one of the company’s AWS accounts in October 2018, led to an exposure of a database snapshot containing emails and hashed passwords.
“I’ll start by going back to 2017 when our Cloud WAF, previously known as Incapsula, was under a significant load from onboarding new customers and meeting their critical demands. That year, our product development team began the process of adopting cloud technologies and migrated to AWS Relational Database Service (RDS) to scale our user database,” Anand said in a statement.
In August 2019, Imperva notified its customers about the data breach that affected a subset of its Cloud WAF. “We learned from a third-party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017,” wrote Heli Erickson, director of analyst relations at Imperva. “We want to be very clear that this data exposure is limited to our Cloud WAF product.”
“While the situation remains under investigation, what we know today is that elements of our Incapsula customer database from 2017, including email addresses and hashed and salted passwords, and, for a subset of the Incapsula customers from 2017, API keys and customer-provided SSL certificates, were exposed,” Erickson added.