Public Cloud Security Breaches Documenting their mistakes so you don't make them.

Imperva RDS Snapshot

Incident Details

Victimized Company:Imperva
Incident Dates:2018-10-01 to 2018-10-31
Disclosure Date:2019-08-27
Current Status:Closed

An unknown threat actor compromised an un-used EC2 Instance, accessed AWS API Keys, and used them to exfiltrate a Database Snapshot from security vendor Imperva.


Details of the Incident

In October 2018, an unknown attacker compromised an exposed EC2 instance and gained access to AWS API keys. These keys were subsequently used to access an RDS Snapshot in one of Imperva’s production AWS Accounts. The database snapshot from a year prior was related to their Incapsula WAF product and contained customer email addresses, hashed passwords, API keys, and some customer-provided SSL Certificates.


Date Event
September 15, 2017 Database (RDS) Snapshot made
October 2018 Unauthorized use of an administrative API key in production AWS accounts
August 20, 2019 Imperva received a data set from a third party requesting a bug bounty
August 27, 2019 Imperva announced a security incident that affected a subset of its Cloud WAF customers

Summary of Coverage

Cloud Security Implications of this Incident

  • The EC2 Instance was part of a scaling test and was no longer needed. It should have been terminated.
  • The EC2 Instance was accessible via the public internet when not required.
  • The instance used a long-term access key on an EC2 Instance instead of short-term keys from an EC2 Instance Profile.