Imperva explains how hackers stole AWS API Key and accessed to customer data

Pierluigi Paganini October 14, 2019

Imperva shared details on the incident it has recently suffered and how hackers obtain data on Cloud Web Application Firewall (WAF) customers.

In August, cybersecurity firm Imperva disclosed a data breach that exposed sensitive information for some customers of its Cloud Web Application Firewall (WAF) product, formerly known as Incapsula.

Incapsula, is a CDN service designed to protect customers’ website from all threats and mitigate DDoS attacks.

Imperva CEO Chris Hylen revealed that the company learned about the incident on August 20, 2019, when it was informed about the data exposure impacting Cloud Web Application Firewall (WAF) product.

“We want to be very clear that this data exposure is limited to our Cloud WAF product.” reads the Hylen’s announcement. “Here is what we know about the situation today:

  • On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017.
  • Elements of our Incapsula customer database through September 15, 2017 were exposed. These included:
    • email addresses
    • hashed and salted passwords

Laked data included email addresses and hashed and salted passwords for all Cloud WAF customers who registered before 15th September 2017.

Hylen added that for a subset of the Incapsula customers, through September 15, 2017, were exposed API keys and customer-provided SSL certificates.

In a blog post published by Imperva, the company confirmed that it was informed of the incident by someone who had requested a bug bounty. The firm explained that the data was exfiltrated without exploiting any vulnerability in its systems.

The analysis of the data confirmed that attackers stole data in October.

“Our investigation identified an unauthorized use of an administrative API key in one of our production AWS accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords.” reads the post published by Imperva.

“We compared the SQL dump in the provided dataset to our snapshots and found a match. As of this post, we can say that the elements of customer data defined above were limited to Cloud WAF accounts prior and up to September 15, 2017. Databases and snapshots for our other product offerings were not exfiltrated,”

The company announced to have adopted additional security measures to protect its customers, including the creation of new instances behind its VPN by default, the implementation of monitoring and patching programs, decommission unused and non-critical compute instances.

Imperva explained that the incident was related to the process migration of its infrastructure to AWS cloud technologies that begun back in 2017.

At the time, the development team created a database snapshot for testing and to evaluate the migration to AWS. An internal compute instance that they created was exposed online and it contained an AWS API key. This instance was compromised and hackers exfiltrated the AWS API key and used it to access the snapshot.

In response to the incident, Imperva changed 13,000 passwords, more than 13,500 SSL certificates have been rotated and regenerated roughly 1,400 API keys. The good news is that the company is not aware of malicious account activity associated with the hack.

While the company is still investigating the incident it recommends the following security measures to its customers:

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Imperva, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment