JumpCloud invalidates API keys in response to ongoing incident

Cloud provider JumpCloud initiated a mandatory API key rotation in response to an ongoing incident, though details on the incident remain scarce.

The Colorado-based company, which offers identity and access management services, notified customers and published a support notification Thursday warning of an API key reset for admins that affected several services. JumpCloud provided directions to generate a new API key, but did not say what the incident was, what caused it or whether the company network had been breached.

"Out of an abundance of caution relating to an ongoing incident, JumpCloud has decided to invalidate all API Keys for JumpCloud Admins," JumpCloud wrote in the notification. "Once an Admin's API Key is invalidated, that API key associated to that Admin will no longer work."

JumpCloud provides a cloud-based Active Directory (AD) platform that's used by more than 180,000 organizations in more than 160 countries. Its identity, access and device management offerings center around the integration of different software vendors and cloud providers.

The recent key reset affected 12 services, including AD import, JumpCloud App for Slack, Azure AD System for Cross-domain Identity Management integration, JumpCloud PowerShell Module and Okta SCIM integration.

Directions to generate a new API key were straightforward. JumpCloud instructed customers to log in as an administrator, find My API Key in the drop-down menu and click Generate New API Key. A support email was also provided.

JumpCloud's notification also offered general security guidance for API keys that suggested JumpCloud admin keys might have been compromised in the unspecified incident. "If you believe for any reason that your API key may have been shared or compromised, we recommend generating a new API key," the notification said.

JumpCloud customers shared screenshots on Twitter Thursday of an email notification they received about the mandatory API key rotation. While details were still vague, JumpCloud said the move was intended to "protect your organization and operations." In addition, the email apologized for any business disruptions and referred to the mandatory key rotation as "the most prudent course of action."

One of those customers, Omri Segev Moyal, CEO at incident response firm Profero, criticized the transparency of the notifications. "Seems like Jump cloud are handling a major incident quite improperly. This messages leaves lots of unknowns. Not how I want to receive such notice," Moyal wrote on Twitter.

He listed several questions the notice left unanswered, including an incident timeline, the decision behind the key reset and what relevant logs customers should watch for regarding malicious activity. "Sending such a drastic message without proper brief on whats the actual situation is not transparency," he wrote.

JumpCloud did not respond to requests for comment at press time.

APIs have become a growing concern for enterprises in recent years as threat actors have increased their attention to the attack surface. Many of the attacks have abused insecure APIs or exposed API keys that were accidentally made public. For example, cybersecurity vendor Imperva was breached in 2018 via an exposed AWS API key.

Arielle Waldman is a Boston-based reporter covering enterprise security news.