JumpCloud resets customer API keys amid ‘ongoing incident’

The directory, identity and access management giant JumpCloud has told its customers to reset their API keys to protect organisations from an “ongoing” security incident.

The decade-old US software firm did not state the specifics but in a support post on Twitter said the decision was made due to an “abundance of caution”.

@troyhunt this seems ominous from @JumpCloud pic.twitter.com/Pu0keIHqSK

— Lee (@LeeFromNuZuland) July 5, 2023

JumpCloud provides cloud file directory and device security, such as single sign-on and multifactor authentication, to more than 180,000 organisations, with more than 5,000 paying customers.

It’s typical for companies to offer API keys that allow customers to integrate products that they have already developed that would otherwise take too long to build themselves. Not only can APIs save money they can also generate revenue by allowing companies to grow quicker.

But since APIs behave as passwords, rotating or invalidating customer API keys is not an action to be taken lightly because the disruption can quickly create a ripple effect.

“This could potentially disrupt all systems relying on this API for operation, management, and administration of single sign-on, MFA, password management, device management, and more with the Jumpcloud platform,” said Nick Rago, Field CTO at Salt Security.

“Because thousands of organisations rely on this platform for management of these critical services, the customer impact is severe.”

Rago added that other than a notice that API keys were invalidated and must be reset, and an apology for any disruption, there doesn’t seem to be much transparency at this time into what the security incident was; how long API keys might have been exposed and how it plans to prevent this type of incident happening again.

He claimed that the incident must have been “pretty significant” for JumpCloud to take this action across its whole customer base.

“To give some context, a JumpCloud API key in the wrong hands could compromise the administration and configuration of key directory and identity services for an organisation.”

Many firms rely on cloud-based service provider APIs to manage key critical infrastructure and business-driving services every day.

The incident serves as a reminder that organisations should ask their cloud service providers for an option to lock down API access to their account from a limited whitelist of locations, to limit any risk of an adversary causing harm if they accessed a privileged API key, Rago concluded.