Imperva shared information on a security breach August 27th that affects customers using its WAF product. The WAF is cloud based and analyzes suspicious traffic flowing into applications.
The breach exposed user’s emails, hashed & salted passwords, and some customers SSL certs and API keys were also affected. Imperva has stated they learned about the breach through a third party on August 20th, but the affected database contained old Incapsula records dating back to September 15, 2017.
“We profoundly regret that this incident occurred and will continue to share updates going forward,” Imperva noted. “In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”Imperva
As a result of the compromise, Imperva has implemented a 90 day password policy for the WAF product.