Cybersecurity software firm Imperva Inc. today disclosed a “security incident” involving its Cloud Web Application Firewall product, previously known as Incapsula, in 2017 that appears to have resulted in the theft of customer data.

“On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017,” Imperva Chief Executive Officer Chris Haylen said in a blog post. The data stolen included email addresses, hashed and salted passwords and in some cases API keys and customer-provided SSL certificates.

Hayes noted that the company is going public “to do the right thing for all of our constituents,” but what was lacking from the disclosure is how it occurred and, more important, whether the presumably stolen data was being offered on the dark net, a shady part of the internet reachable with special software. That’s a strong possibility given that it must have been discovered somewhere for the third party to inform Imperva of data stolen two years ago.

Imperva has informed affected customers and implemented forced password rotations for the Cloud WAF product as well as launching its own investigation and informing global regulatory authorities.

Users are advised to change their account passwords, implement single sign-on, enable two-factor authentication, generate and upload new security certificate and to reset API keys.

“While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks,” Chris Morales, head of security analytics at threat detection and response firm Vectra AI Inc., told SiliconANGLE. “Losing SSL certificates and API access to an enterprise network is concerning.”

Heather Paunet, vice president of product management at network security company Untangle Inc., noted that incidents such as this one highlight the diligence that businesses and consumers need to practice.

Hayes concluded the disclosure by apologizing in part to customers, saying that “we profoundly regret that this incident occurred and will continue to share updates going forward.” Promising to do better in the future, he added that “in addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

Photo: Imperva