Anatomy of a Breach

Anatomy of a Breach: Imperva — When the Security Vendor Protecting Your Data Was Breached

> series: anatomy_of_a_breach —— part: 128 —— target: imperva —— data: api_keys_tls_certs_passwords —— irony: security_vendor_breached<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2019 12 min read
data-breach imperva incapsula security-vendor cloud-misconfiguration api-key-exposure supply-chain series
Breach #128

The company that protects you from breaches was itself breached.

In August 2019, Imperva disclosed that customer data from its Cloud WAF (Web Application Firewall) product — formerly known as Incapsula — had been exposed in a security incident. The compromised data included customer email addresses, hashed and salted passwords, and — critically — API keys and TLS/SSL certificates belonging to customers who used Imperva's Cloud WAF service. The exposure of API keys and TLS certificates meant that customers' own security configurations were potentially compromised.

The breach originated from a cloud migration during which an internal AWS API key was left exposed — enabling an attacker to access a database snapshot containing customer data. The irony was inescapable: Imperva, a cybersecurity company whose Cloud WAF product is designed to protect organisations from exactly the type of attack that led to the Capital One breach one month earlier, had been breached through the same class of cloud misconfiguration. Like HBGary Federal (2011), Hacking Team (2015), and LastPass (2015), the Imperva breach demonstrated that security expertise does not confer security immunity.

Security Vendors as Targets
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Your security provider is part of your attack surface.

The Imperva breach was the latest in a pattern documented throughout this series: security vendors — RSA (2011), Hacking Team (2015), LastPass (2015), Cloudflare (2017), and now Imperva (2019) — are themselves targets, and their compromises create supply chain risk for every customer who depends on them.

API Keys and TLS Certificates Exposed
The exposure of customer API keys and TLS certificates was particularly damaging — these credentials could be used to bypass the very security controls that Imperva's product provided. <a href="/penetration-testing/cloud-configuration-review">Cloud configuration reviews</a> assess API key management and certificate security.
Cloud Migration Risk — Again
Like <a href="/blog/anatomy-of-a-breach-capital-one">Capital One</a>, the Imperva breach originated from a cloud migration error — an exposed AWS API key. Cloud migrations introduce transient risk windows where misconfigurations can expose sensitive data. Our <a href="/penetration-testing/cloud-configuration-review">cloud reviews</a> are frequently commissioned during and after cloud migrations.
Supply Chain Trust Challenged
Organisations trust their WAF vendor with their most sensitive traffic — the vendor sees every request and response. When that vendor is breached, customer security configurations, certificates, and API keys are at risk. <a href="/blog/sector-under-the-microscope-professional-services">Supply chain analysis</a> is essential for evaluating vendor security.
Security Vendors Must Practise What They Preach
Imperva, RSA, Hacking Team, LastPass, Cloudflare — five security vendors breached in this series. The lesson: no organisation, regardless of its expertise, is immune. Our <a href="/penetration-testing">penetration testing</a> is based on the principle that claims of security must be verified through testing.
Lessons

Evaluate your vendors' security with the same rigour as your own.

The Imperva breach reinforced that security vendor selection must include evaluation of the vendor's own security posture — not just their product's features. For UK organisations selecting WAF, CDN, SIEM, or managed security providers, the provider's own security practices are a critical evaluation criterion. Cyber Essentials addresses supply chain security. Our cloud configuration reviews assess cloud-based security service configurations. SOC in a Box monitors for the anomalous activity that indicates supply chain compromise. And UK Cyber Defence provides incident response when a vendor breach affects your organisation.

Vendor Security

Imperva protects organisations from breaches — and was breached itself. Have you evaluated your vendors' security?

<a href="/cyber-essentials">Cyber Essentials</a> addresses supply chain risk. Our <a href="/penetration-testing/cloud-configuration-review">cloud reviews</a> assess vendor integrations. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for supply chain compromise.

Commission a Supply Chain Assessment Next: Ecuador
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2020

Anatomy of a Breach: 2020 Year in Review — SolarWinds, COVID-19, and the Year the Supply Chain Broke

Breach #144 and the 2020 finale. The year COVID-19 transformed the global attack surface overnight, SolarWinds rewrote the supply chain threat model, ransomware claimed its first life at Düsseldorf, Twitter proved social engineering trumps technology, Hackney Council was devastated for two years, Garmin paid $10 million, and the pandemic-fuelled explosion of remote working created new vulnerabilities faster than they could be secured. Then, on 13 December, the SolarWinds/Sunburst supply chain attack was discovered — compromising 18,000 organisations including US government agencies — the most sophisticated supply chain attack in history.

data-breach year-in-review
16 min read
Anatomy of a Breach 30 June 2020

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

Breach #138. In July 2020, Blackbaud — a cloud computing provider serving nonprofits, charities, and educational institutions — disclosed that ransomware attackers had accessed and exfiltrated customer data before the company detected and stopped the attack. Blackbaud controversially paid the ransom and stated it had received 'confirmation' the data had been destroyed. The breach affected hundreds of organisations worldwide — including UK institutions such as the National Trust, the University of Birmingham, De Montfort University, Young Minds charity, and multiple NHS trusts. Blackbaud later admitted that the breach was more extensive than initially disclosed.

data-breach blackbaud
13 min read
Anatomy of a Breach 31 July 2019

Anatomy of a Breach: Capital One — 106 Million Records via a Misconfigured Cloud WAF

Breach #127. In July 2019, Capital One disclosed that a former AWS employee had exploited a misconfigured Web Application Firewall (WAF) to access the personal data of approximately 106 million credit card applicants and customers in the US and Canada. The stolen data included names, addresses, dates of birth, Social Security numbers, and bank account numbers. The attacker, Paige Thompson, had exploited a Server Side Request Forgery (SSRF) vulnerability to access AWS metadata and obtain credentials — a cloud-native attack that represented the new frontier of data breaches.

data-breach capital-one
14 min read
All Posts Get in Touch