Incident Details
| Victimized Company: | Imperva |
| Incident Dates: | 2018-10-01 to 2018-10-31 |
| Disclosure Date: | 2019-08-27 |
| Current Status: | Closed |
Imperva RDS Snapshot
An unknown threat actor compromised an un-used EC2 Instance, accessed AWS API Keys, and used them to exfiltrate a Database Snapshot from security vendor Imperva.
Incident
Details of the Incident
In October 2018, an unknown attacker compromised an exposed EC2 instance and gained access to AWS API keys. These keys were subsequently used to access an RDS Snapshot in one of Imperva’s production AWS Accounts. The database snapshot from a year prior was related to their Incapsula WAF product and contained customer email addresses, hashed passwords, API keys, and some customer-provided SSL Certificates.
Timeline
| Date | Event |
|---|---|
| September 15, 2017 | Database (RDS) Snapshot made |
| October 2018 | Unauthorized use of an administrative API key in production AWS accounts |
| August 20, 2019 | Imperva received a data set from a third party requesting a bug bounty |
| August 27, 2019 | Imperva announced a security incident that affected a subset of its Cloud WAF customers |
Summary of Coverage
- Brian Krebs: Cybersecurity Firm Imperva Discloses Breach August 27, 2019
- Imperva Security Incident Update October 19th, 2019
- ThreatPost: Imperva: Data Breach Caused by Cloud Misconfiguration October 11, 2019
Cloud Security Implications of this Incident
- The EC2 Instance was part of a scaling test and was no longer needed. It should have been terminated.
- The EC2 Instance was accessible via the public internet when not required.
- The instance used a long-term access key on an EC2 Instance instead of short-term keys from an EC2 Instance Profile.