Imperva says cloud firewall customers’ passwords were exposed

Security vendor Imperva on Tuesday revealed that data belonging to an unspecified number of customers of its cloud firewall product was exposed online.

Email addresses and hashed and salted passwords from a database of its Cloud Web Application Firewall (WAF) customers were left exposed through September 15, 2017,  Imperva CEO Chris Hylen wrote in a blog post disclosing the incident. Additionally, the API keys and SSL certificates of some customers were exposed. The company found out about the incident last week thanks to an unnamed third party, he said.

It is unclear to what extent, if any, hackers had accessed the exposed data. The company did not respond to a request for comment by press time. Imperva’s Cloud WAF counts the AARP, General Electric, and Siemens as customers, according to the company’s website.

“We continue to investigate this incident around the clock and have stood up a global, cross-functional team,” Hylen wrote, adding that Imperva had informed the “appropriate global regulatory agencies,” and had enlisted outside forensic experts to the investigation. The company says its tightening password security for its Cloud WAF customers, and communicating directly with affected clients.

California-based Imperva is known for selling software tools to organizations to defend against distributed denial-of-service (DDoS) attacks, which hackers can use to flood organizations with web traffic and hamstring its public-facing services.

In June, Imperva took aim at the bots that are often used in DDoS attacks by announcing its acquisition of bot mitigation company Distil Networks.