Imperva says cloud firewall customers’ passwords were exposed

The company found out about the incident last week thanks to an unnamed third party, he said.

Security vendor Imperva on Tuesday revealed that data belonging to an unspecified number of customers of its cloud firewall product was exposed online.

Email addresses and hashed and salted passwords from a database of its Cloud Web Application Firewall (WAF) customers were left exposed through September 15, 2017,  Imperva CEO Chris Hylen wrote in a blog post disclosing the incident. Additionally, the API keys and SSL certificates of some customers were exposed. The company found out about the incident last week thanks to an unnamed third party, he said.

It is unclear to what extent, if any, hackers had accessed the exposed data. The company did not respond to a request for comment by press time. Imperva’s Cloud WAF counts the AARP, General Electric, and Siemens as customers, according to the company’s website.

“We continue to investigate this incident around the clock and have stood up a global, cross-functional team,” Hylen wrote, adding that Imperva had informed the “appropriate global regulatory agencies,” and had enlisted outside forensic experts to the investigation. The company says its tightening password security for its Cloud WAF customers, and communicating directly with affected clients.


California-based Imperva is known for selling software tools to organizations to defend against distributed denial-of-service (DDoS) attacks, which hackers can use to flood organizations with web traffic and hamstring its public-facing services.

In June, Imperva took aim at the bots that are often used in DDoS attacks by announcing its acquisition of bot mitigation company Distil Networks.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts