Scrambled Passwords Were Exposed in the Imperva Data Breach

Sometimes an unfortunate event can push us into learning something new. After all, don’t we all learn from mistakes? Today we can learn from Imperva’s mistakes.

Imperva is a cybersecurity software company that is based in Redwood Shores, California. This company provides its clients with protection for enterprise data. Clients purchase Internet firewall services from Imperva to prevent cyber attacks and other malicious cyber activities.

Unfortunately, Imperva has announced that it experienced a data breach back in August, and this data breach has affected thousands of customers. According to the report, API keys, email addresses, SSL certificates, and multiple scrambled passwords were exposed during this breach.

There are multiple aspects to discuss about this data breach, especially when we consider the fact that a company that DEALS with cybersecurity was affected. However, this time, we are going to give you a short overview of the issue and then focus on scrambled passwords that were also exposed. Have you ever wondered what is a scrambled password?

What happened with Imperva?

As mentioned, Imperva experienced a data breach that exposed its clients’ data to hackers. It seems that the entire incident was the result of negligence because an internal system could be accessed from the Internet. The system that was accessible from the Internet stored a copy of Imperva’s AWS API Key.

Now, what is that? AWS refers to Amazon Web Services, which is an Amazon subsidiary that specializes in providing cloud computing platforms. An API Key means an application programming interface (API) key. It is a unique identifier that allows the system to authenticate a user or a program that tries to reach the API. In turn, the API is a communication protocol between a client and a server. It can be a system that is based on a cloud platform, operating system, hardware, and so on. So with the API Key stolen, hackers could access Imperva’s system from the outside.

Cybersecurity reporters believe that Imperva was not aware of the data breach at first and that they learned a few months later that the hacker downloaded a copy of their database snapshot that was used to evaluate their Relational Database Service (RDS) on their cloud platform. What does that mean? It means that the hacker could steal the data that was within the snapshot, and the data created AFTER the snapshot was taken was not affected by the breach.

All in all, the company didn’t explicitly say how many customers were affected by the data breach. However, over 13,000 passwords and 13,000 SSL certificates were changed and rotated after the affected customers were notified about it. Therefore, it is easy to more or less grasp the scope of the incident.

What is a scrambled password?

Since we are done with the general overview of the breach, we can take a closer look at one of the types of data that was exposed and leaked. We’re talking about scrambled passwords here. When you hear the word “scramble,” you probably think about the popular online game or scrambled eggs, but it’s true that we can also scramble our passwords.

Password scrambling is one of the ways to store them safely and to make them stronger. For example, Cyclonis Password manager also uses password scrambling to store its customers’ passwords in its vault. In the password manager’s case, it uses encryption to scramble saved passwords. However, there are other ways to protect passwords, and the information on the Imperva data breach suggests that the exposed scrambled passwords were hashed and salted.

What on earth does that mean? Well, you probably know that you can decrypt something once it’s been encrypted if you have a decryption key. Hashing, on the other hand, means that the data cannot be decoded once it’s been scrambled. Also, no matter what kind of data string you are going to hash, the length of the output is always fixed. That is to say, whether you are going to scramble I love apples or I hate rain, please go away, the length of the final output will be the same (if you use the same algorithm to hash it).

Since hashing doesn’t work the other way around, but scrambling the string with the same algorithm produces the same output, it can be used to check and authenticate access. For instance, if database stores hashed passwords and someone enters a plain text password trying to enter the database, the system needs to apply the same algorithm to hash the plain text password. If the hashed value matches the one that is stored in the database, the authentication is granted. It is also really hard to crack a hashed password, and the only way to do it is by brute-forcing it.

It’s even harder to crack it if salting is applied. In cybersecurity, salt refers to a random data value that is added to a password. Users do not see that value, but it is attached to their passwords within the computer systems to provide better security. In other words, your passwords are not kept in plain text because that would totally lead to terrible data breaches.

Within the system, salt value is generated at random. It is added to the plain text password, and then the entire string is usually hashed (as described above). Using different salt values with the same passwords results in completely different hashed values, so sprinkling salt (figuratively speaking) on your passwords makes them stronger.

From this, we can make an assumption, that stealing scrambled passwords might be lucrative only if the hacker has means to brute-force them. Of course, such a possibility always exists, and that is why Imperva urged its customers to change their passwords. However, it is also possible to say that stealing scrambled passwords is practically the same as stealing a safe that doesn’t have a key. It doesn’t change the fact of the data breach, but at least there’s a little bit of silver lining there.