I want to share details about a security incident at Imperva that resulted in a data exposure impacting our Cloud Web Application Firewall (WAF) product, formerly known as Incapsula. In this situation, we will do our best to honor the following principles:
- To do the right thing for all of our constituents
- To be fact and data driven – and to share what we know, when we know it to be true
- To live up to our company values and leadership expectations
We want to be very clear that this data exposure is limited to our Cloud WAF product. Here is what we know about the situation today:
- On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017.
- Elements of our Incapsula customer database through September 15, 2017 were exposed. These included:
- email addresses
- hashed and salted passwords
And for a subset of the Incapsula customers through September 15, 2017:
- API keys
- customer-provided SSL certificates
We continue to investigate this incident around the clock and have stood up a global, cross-functional team. Here are the actions we have taken:
- We activated our internal data security response team and protocol, and continue to investigate with the full capacity of our resources how this exposure occurred.
- We have informed the appropriate global regulatory agencies.
- We have engaged outside forensics experts.
- We implemented forced password rotations and 90-day expirations in our Cloud WAF product.
- We are informing all impacted customers directly and sharing the steps we are taking to safeguard their accounts and data, and additional actions they can take themselves.
We recommend the following security measures as a matter of good practice for all of our customers:
- Change user account passwords for Cloud WAF (https://my.incapsula.com)
- Implement Single Sign-On (SSO)
- Enable two-factor authentication
- Generate and upload new SSL certificate
- Reset API keys
We profoundly regret that this incident occurred and will continue to share updates going forward. In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. Imperva will not let up on our efforts to provide the very best tools and services to keep our customers and their customers safe.
If you have additional questions, please reach out to firstname.lastname@example.org.