Security should begin at home, especially if you’re a cloud security company. But Imperva has been hit with a hack in which email addresses and hashed passwords were exposed, the company
says.
The company’s CEO, Chris Hylen, acknowledges: “Elements of our Incapsula customer database through September 15, 2017 were exposed,” according to Computer Business
Review.
Hylen adds: “These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys and
customer-provided SSL certificates.”
Heli Erickson, director of analyst relations at Imperva, adds that the incident is still being investigated, according to Krebs on
Security.
Both Hylen and Erickson stress that the exposure is limited to the firm’s Cloud WAF product.
The company discovered the problem on August 20.
Krebs
reports that “Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, said Imperva is among the top three Web-based firewall providers in
business today.”
Mogull also says, “For a security-as-a-service provider like Imperva, this is the kind of mistake that’s up there with their worst nightmare,” Krebs
adds.
Krebs continues that Imperva has urged customers to take steps including “changing passwords for user accounts at Incapsula, enabling multi-factor authentication, resetting
API keys, and generating/uploading new SSL certificates.”