Imperva Alert


Cybersecurity threats evolve every minute of every day. Best practices exist to protect against or even mitigate these growing threats, but, unfortunately, some companies still fall victim to attacks. Lapses in controls lead to many of the countless breaches that we hear about so often in the news. It was reported recently that Imperva, a leading provider of Internet firewall services, which can help web sites block malicious cyberattacks, was a victim of a cyberattack.

This time the threat came from the cloud, specifically the Incapsula cloud (the company’s cloud-based Web Application Firewall (WAF) product). The result of this breach was those customer data elements dating back to September 17, 2017 were obtained by attackers. The data elements captured included email addresses, hashed/salted passwords, and for a small subset of Incapsula customers, the breach exposed API keys and customer-provided SSL certificates.


Commenting in an article on the security website Krebs on Security, Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, stated that “an attacker in possession of a customer’s API keys and SSL certificates could use that access to significantly undermine the security of traffic flowing to and from a customer’s various Web sites.”

In addition, attackers in possession of these key assets could reduce the overall security of WAF settings and could essentially “whitelist” any traffic originating from an attacker. To imagine a worst-case scenario, an attacker associated with this breach could intercept, view or modify any content meant for an Incapsula client web site, and even divert this traffic through an attacker-owned site or other malicious destination.

Certain scenarios could allow an attacker to alter a WAF implementation into a state that makes it essentially meaningless for the customer. Due to the ongoing investigation associated with this matter, many questions remain unanswered. Below are a few of those questions.

Imperva Incapsula breach – unanswered questions (Provided by ZDNET)

  • Did the breach occur because of a server left exposed online by accident or due to an unauthorized, forceful intrusion?
  • Is the “third party” who found the breach a source in law enforcement, a bug bounty hunter, or one of Imperva’s customers?
  • Did the breach occur in 2017, but was only now discovered?


As of August 27, Imperva released a statement regarding this incident and has forced passwords resets for affected customers alongside encouraging the use of 2FA (two-factor authentication).

The opinion of IT Security professionals at Schneider Downs (SD) is that 2FA alongside the password reset process should be required for all customers regardless of whether they were affected by this breach (

Two-factor authentication is not a new technology, nor is it a costly protection mechanism, and we believe it should be required for all Incapsula WAF customers.


The blog (a blog created by the lead of Google’s anti-abuse research team, which assists in protecting users against cyber-criminal activities and Internet threats) wrote an article titled “The bleak picture of two-factor authentication adoption in the wild.” In this post, Elie Bursztein reported that “Overall, as of late 2018, 52.5% of the 1149 sites listed in the dongleauth database support 2FA.”

Bursztein’s blog post paints a grimmer picture of 2FA adoption and solidifies our recommendation that 2FA should be a required implementation following a breach of this magnitude.


You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Biden Administration Announces First Ever Sanctions Against Cryptocurrency Exchange
Apple Releases Emergency Security Update to Address Critical Spyware Vulnerability
REvil Ransomware Group Resurfaces Over Labor Day Weekend
Google and Microsoft Announce $30B Cybersecurity Investment at White House Summit
COVID-19 Scams Surge with New Variants
TSA Issues Second Cybersecurity Directive for Pipeline Owners and Operators
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.