The company blamed the security breach on an Amazon Web Services (AWS) API key a hacker stole from an internal system that was left accessible from the internet.
The post-mortem is a little bit convoluted, but we summarized the series of events that led to the Imperva breach in the list below:
- Imperva said it experienced a period of business growth in 2017.
- As a result, the company began adopting cloud technologies to scale its business and infrastructure.
- Imperva decided to evaluate AWS' Relational Database Service (RDS) to scale its user database.
- The company uploaded a snapshot of its customer database to a test AWS RDS instance.
- But in an unrelated incident, the company left an internal system accessible from the internet.
- This internal system stored a copy of the company's AWS API key.
- A hacker found this server, described as a "compute instance," and stole the API key.
- The hacker used the AWS API key to access Imperva's cloud infrastructure, where he found the AWS RDS service the company used for testing.
Imperva didn't provide exact dates for the events listed above, so we don't yet know for how much time the hacker had access Imperva's servers.
However, the company said that sometime in October 2018, the intruder began downloading a copy of the database snapshot they uploaded on the AWS RDS account.
Imperva CEO Chris Hylen said that they learned of the hack months later, on August 20, 2019, when a third-party contacted the company, provided a copy of the stolen data, and then requested a bug bounty.
The company didn't say if this third-party was a legitimate security researcher or the hacker trying to earn a reward from the company he previously hacked.
In its August blog post, Imperva also didn't say how many users were impacted, but today, Hylen provided a rough estimate.
The Imperva CEO said that after the company notified impacted customers of the security breach, customers changed 13,000 passwords, rotated more than 13,500 SSL certificates, and regenerated more than 1,400 Imperva API keys.
Only customers who signed up with Imperva before September 15, 2017, were impacted -- as that was the date of the database snapshot the company uploaded to its AWS RDS test account.
Imperva said such a breach wouldn't be possible again today because they moved all internal compute instances behind a VPN by default in the meantime, in a security upgrade unrelated to the breach.
Nonetheless, the company now joins a long list of companies that had customer data stolen because of accidental exposures of internal systems on the internet.