Imperva, a cybersecurity and DDoS defense company, said it has compromised users of its Cloud WAF product.
The incident, which the company became aware of on August 20, 2019 (thanks to a warning received from an unnamed third party), affected customers using Cloud WAF companies and registered before September 15, 2017.“On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017”, — reported in Imperva.
The official statement said that attackers could have gotten email addresses, hashed and salt passwords, and API keys and SSL certificates of a subset of users.
The company has already apologized, began to notify the victims and initiate a password reset for them from WAF accounts.
“We profoundly regret that this incident occurred and will continue to share updates going forward. In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. Imperva will not let up on our efforts to provide the very best tools and services to keep our customers and their customers safe”, — reported Chris Hylen CEO of Imperva, Inc.
It is still unclear exactly how this data leak occurred, since Imperva representatives did not comment on the situation, referring to the ongoing investigation, in which are already involved law enforcement agencies.
Read also: Researchers discovered a new malicious campaign targeting plugins for WordPress
That is, one cannot even say yet whether the company was hacked, or if the data server was accidentally left “open” for everyone. It is also unknown when the incident occurred (can be assumed that this happened back in 2017) and who discovered the problem – one of the clients, a baghunter or someone else.
While Imperva engineers recommend their customers the following safety measures:
- Change user account passwords for Cloud WAF (my.incapsula.com)
- Implement Single Sign-On (SSO)
- Enable two-factor authentication
- Generate and upload new SSL certificate
- Reset API keys