JumpCloud has confirmed it reset customer API keys following a “security incident” earlier in July 2023, leaving customers who missed the advisory notice with disrupted services.
In a blog post, company CISO Bob Phan explained: “The security threats that we face, as an industry, are unprecedented and require strong collaboration from all constituents.”
Details of the security incident remain sparse, but Phan disclosed that unauthorized access by a sophisticated nation-state-sponsored threat actor saw a “small and specific” set of cloud storage customers targeted, who were notified prior to the public blog post.
JumpCloud security incident
In response to the attack, JumpCloud says that it has been working with both incident response partners and law enforcement in order to prevent such future attacks, claiming that “the attack vector used by the threat actor has been mitigated.”
The API key reset on July 5 followed “unusual activity in the commands framework” on the same day. Phan said that the spear-phishing campaign could be traced back to June 22.
Despite expressing a commitment to providing “ transparent and timely information,” some have expressed their concern over the incident.
Nick Rago, Field CTO at Salt Security, a company whose mission it is to make APIs attack-proof, said that the incident must have been “pretty significant” for JumpCloud to have taken the action it did across its whole customer base.
Rago continued: “there doesn’t seem to be much transparency at this time into what the security incident was or how long API keys might have been potentially exposed, or how they are remedying this type of incident from happening again.”
Salt Security’s Field CTO suggests that enterprise users should look to lock down API access to their account from a whitelist of locations in order to limit attack risk.
JumpCloud’s Phan promised that the company would continue to enhance its security measures to prevent future attacks, collaborating with industry partners and governments.