The security breach particularly affects customers of Imperva's Cloud Web Application Firewall (WAF) product, formerly known as Incapsula, a security-focused CDN service known for its DDoS mitigation and web application security features that protect websites from malicious activities.
In a blog post published today, Imperva CEO Chris Hylen revealed that the company learned about the incident on August 20, 2019, only after someone informed it about the data exposure that "impacts a subset of customers of its Cloud WAF product who had accounts through September 15, 2017."
"We activated our internal data security response team and protocol, and continue to investigate with the full capacity of our resources how this exposure occurred," the company says.
"We have informed the appropriate global regulatory agencies. We have engaged outside forensic experts."
The company has not yet revealed how the Cloud WAF customers' data got leaked, whether its servers were compromised or if it was accidentally left unsecured in a misconfigured database on the Internet.
However, Imperva is still investigating the incident, and the company has ensured that it is informing all impacted customers directly and is also taking additional measures to scale up its security.
"We profoundly regret that this incident occurred and will continue to share updates going forward. In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry," the company says.
Cloud WAF users are recommended to change their account passwords, implement Single Sign-On (SSO), enable two-factor authentication (2FA), generate and upload new SSL certificate, and reset their API keys.