Last month, cybersecurity firm Imperva announced that the data of a “subset of customers” of Imperva’s Cloud Web Application Firewall was exposed in a “security incident” in September 2017. This week, the company published an analysis of the breach, which shows that the incident was made possible by the company accidentally leaving an internal system exposed to the web in 2017.
A hacker who found the exposed system was able to obtain an Amazon Web Services (AWS) API key from it, and subsequently used this key to access Imperva’s cloud environment, where they found a database snapshot from September 15, 2017 that had been used for testing. The attacker downloaded the snapshot in October of 2018, but the firm did not find out about this until an unknown third party disclosed the incident in August of 2019. The third party wanted a bug bounty for the disclosure. After Imperva informed its customers of the breach, around 13,000 user passwords were changed and over 13,500 SSL certificates were rotated.
