A security breach which led to the compromise of customer data at Imperva was caused by a stolen API key for one of its Amazon Web Services (AWS) accounts, the firm has revealed.
The firm was notified of the incident, which affected a subset of its Cloud WAF customers, by a third party at the end August.
Chief technology officer, Kunal Anand, explained in a blog post that the firm decided back in 2017 to migrate to the AWS Relational Database Service (RDS) in order to provide greater scale for its user database.
As part of this process the firm created a database snapshot for testing on September 15, 2017.
Separately, Imperva’s IT team created an internal compute instance containing an AWS administrative API key. Unfortunately, this server was left exposed and subsequently found by a hacker, who stole the all-important key and used it to access the database snapshot, exfiltrating the information in October 2018.
The stolen data included email addresses, hashed and salted passwords, API keys, and TLS keys — although Anand claimed to have found no evidence so far that it is being abused for malicious ends.
Imperva has since tightened its internal security, by ensuring new instances are created behind a VPN, unused and non-critical instances are decommissioned, and by putting monitoring and patching programs in place.
Other corrective actions taken include an increase in the frequency of infrastructure scanning, tighter access controls, and an increase in auditing of snapshot access.
At Imperva’s request, more than 13,000 customer passwords were changed and over 13,500 SSL certificates rotated following the breach, highlighting the scale of the incident. In addition, over 1400 API keys were regenerated, according to Anand.