Security should begin at home, especially if you’re a cloud security company. But Imperva has been hit with a hack in which email addresses and hashed passwords were exposed, the company says.
The company’s CEO, Chris Hylen, acknowledges: “Elements of our Incapsula customer database through September 15, 2017 were exposed,” according to Computer Business Review.
Hylen adds: “These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates.”
Heli Erickson, director of analyst relations at Imperva, adds that the incident is still being investigated, according to Krebs on Security.
Both Hylen and Erickson stress that the exposure is limited to the firm’s Cloud WAF product.
The company discovered the problem on August 20.
Krebs reports that “Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, said Imperva is among the top three Web-based firewall providers in business today.”
Mogull also says, “For a security-as-a-service provider like Imperva, this is the kind of mistake that’s up there with their worst nightmare,” Krebs adds.
Krebs continues that Imperva has urged customers to take steps including “changing passwords for user accounts at Incapsula, enabling multi-factor authentication, resetting API keys, and generating/uploading new SSL certificates.”