Exposed data included customer email addresses, along with hashed and salted passwords, for a subset of customers the company had registered up until September 15, 2017. For a small number of users, API keys and customer-provided SSL certificates were also exposed.
Imperva said the security incident only affected customers of its cloud WAF, and not other products.
As a result of the breach, the company said it began notifying impacted customers and started forcing users to change passwords for their cloud WAF accounts.
Imperva also apologized to customers, said it also engaged forensics experts to help with the investigation, and "informed the appropriate global regulatory agencies."
When reached out for additional comment via email and telephone, an Imperva spokesperson cited the ongoing investigation and said they can't provide any other details. The questions that ZDNet sent Imperva, and which most customers would like to have answered, are below:
Did the breach occur because of a server left exposed online by accident or due to an unauthorized, forceful intrusion?
Is the "third party" who found the breach a source in law enforcement, a bug bounty hunter, or one of Imperva's customers?
Did the breach occur in 2017, but was only now discovered?