Imperva, The Lost API Keys, and Loose SSL Certs

Imperva shared information on a security breach August 27th that affects customers using its WAF product. The WAF is cloud based and analyzes suspicious traffic flowing into applications.

The breach exposed user’s emails, hashed & salted passwords, and some customers SSL certs and API keys were also affected. Imperva has stated they learned about the breach through a third party on August 20th, but the affected database contained old Incapsula records dating back to September 15, 2017.

“We profoundly regret that this incident occurred and will continue to share updates going forward,” Imperva noted. “In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”


As a result of the compromise, Imperva has implemented a 90 day password policy for the WAF product.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.