JumpCloud issues notice to customers to refresh API keys

JumpCloud, which offers directory-as-a-service products, has issued mandatory application programming interface (API) security key replacements, following what is believe to be an ongoing security incident.

The company offers secure access from any device anywhere and can integrate corporate WiFi and VPN devices using its radius-as-a-service offering. It positions itself as a full cloud replacement for Microsoft Active Directory.

Computer Weekly’s sister publication, SearchSecurity.com, reported that JumpCloud notified customers and published a support notification on Thursday warning of an API key reset for IT administrators that affected several services. SearchSecurity.com noted that JumpCloud provided directions to generate a new API key, but did not say what the incident was, what caused it or whether the company network had been breached.

Among the products and services that have been listed by JumpCloud as being potentially affected are importing Active Directory; BambooHR; Okta Real-time User and Password Import and the JumpCloud App for Slack.

In a screenshot of the notice sent to customers, JumpCloud said: “Out of an abundance of caution relating to an ongoing security incident, JumpCloud has invalidated your existing API keys…We apologise for any inconvenience this causes your organisation, but the action was taken on your behalf as the most prudent course of action.” 

Jason Kent, hacker in residence at Cequence Security, said that the most important component in any cryptographic system is the key. “As someone who has given words of caution on the use of long-lasting keys in the past and has commented many times on persistent API keys for sensitive controls, the ‘I told you so’ phase just isn’t much fun,” he said.

“As the teams that utilise these systems now have to see how many integrations have failed, how much backlash it’s going to create internally and will have to set about fixing everything, it’s a very stressful thing.”

JumpCloud’s support page urged JumpCloud admins that are using a JumpCloud API key with an integration that relies on a JumpCloud admin API key to take action by updating integrations with their new API key(s).

Kent said that reissuing keys means that IT admins now need to set keys on the various IT systems that use JumpCloud APIs then wait for reports of successes and failures. Kent believes optimal key management needs systems capable of generating them at the time of use.

“This is because storage of the keys tends to be found by attackers and compromises like this one end up being a huge problem,” he said. “Computers are really good at repetitive tasks, have them log in every time. Utilise privileged access management or similar strategy and make sure you protect the key.”