Cyber-security and DDoS mitigation firm Imperva disclosed today a security incident that impacts customers of its cloud web application firewall (WAF), formerly known as Incapsula.
"On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017," the company said in a message posted on its website.
Exposed data included customer email addresses, along with hashed and salted passwords, for a subset of customers the company had registered up until September 15, 2017. For a small number of users, API keys and customer-provided SSL certificates were also exposed.
Imperva said the security incident only affected customers of its cloud WAF, and not other products.
As a result of the breach, the company said it began notifying impacted customers and started forcing users to change passwords for their cloud WAF accounts.
Imperva also apologized to customers, said it also engaged forensics experts to help with the investigation, and "informed the appropriate global regulatory agencies."
When reached out for additional comment via email and telephone, an Imperva spokesperson cited the ongoing investigation and said they can't provide any other details. The questions that ZDNet sent Imperva, and which most customers would like to have answered, are below:
- Did the breach occur because of a server left exposed online by accident or due to an unauthorized, forceful intrusion?
- Is the "third party" who found the breach a source in law enforcement, a bug bounty hunter, or one of Imperva's customers?
- Did the breach occur in 2017, but was only now discovered?
Imperva acquired Incapsula and its suite of products, including the cloud WAF, in February 2014. Investment firm Thoma Bravo acquired Imperva in February 2019 for $2.1 billion.