Incident Details
An unknown attacker compromised an EC2 instance at Imperva, accessed AWS API keys, and exfiltrated a Database Snapshot related to their Incapsula WAF product.
Incident
How Did the Breach Happen?
The breach occured when an exposed EC2 instance was compromised, allowing the attacker to obtain AWS API keys. These keys were used to access an RDS Snapshot in one of Imperva's production AWS Accounts.
What Data has been Compromised?
The compromised data included customer email addresses, hashed passwords, API keys, and some customer-provided SSL Certificates.
Why Did the company's Security Measures Fail?
Security failed due to the unnecessary exposure of the EC2 instance to the public internet, the use of long-term access keys instead of short-term keys from an EC2 Instance Profile, and because the instance was part of a scaling test and was no longer needed but not terminated in time.
What Immediate Impact Did the Breach Have on the company?
The response to the exact immediate impact on the company is not provided, but typically such a breach can result in loss of customer trust, potential financial liabilities, and possibly regulatory scrutiny.
How could this have been prevented?
The breach could have been prevented by terminating the unused EC2 instance, implementing proper access key management practices such as using short-term keys, and ensuring that instances are not unnecessarily exposed to the public internet.
What have we learned from this data breach?
The Imperva data breach teaches the importance of regular security audits to identify and terminate unused instances, proper key management, and the dangers of leaving internal services exposed to the public without adequate protection.
Summary of Coverage
In 2018, the cybersecurity firm Imperva experienced a data breach due to an unsecured EC2 instance that led to a compromise involving customer information from their Incapsula WAF product. Inadequate security measures and management of AWS resources were key factors in the breach.