Executive Summary: Imperva, an Internet Firewall Services provider has announced that on Tuesday 20th August they were alerted by a third party to a data exposure that includes email addresses, hashed and salted passwords and, for a subset of the Incapsula customers, hashed API keys and customer-provided SSL certificates for Cloud WAF customers registered before 15th September 2017. Imperva have not yet confirmed how this data was leaked but have stated that this incident is still under investigation.
Rich Mogull, founder of DisruptOps was quoted saying that stolen API keys and SSL certificates could enable a malicious threat actor “to intercept, view or modify traffic destined for an Incapsula client web site, and even to divert all traffic for that site to or through a site owned by the attacker.” He later added that “they could modify any of the security Incapsula security settings, and if they got [the target’s SSL] certificate, that can potentially expose traffic”.
Imperva CEO Chris Hylen has stated that Imperva has “implemented forced password rotations and 90-day expirations in our Cloud WAF product” and that Imperva are contacting all impacted customers and providing additional safeguarding actions that customers can take to further safeguard their accounts.
Detect: Imperva Cloud WAF customers registered before 15th September 2017
Affected Products: Cloud Web Application Firewall (WAF)
React: Imperva has recommended that customers carry out the following actions:
- Change user account passwords for Cloud WAF (https://my.incapsula.com)
- Implement Single Sign-On (SSO)
- Enable two-factor authentication
- Generate and upload new SSL certificate
- Reset API keys