JumpCloud's Ongoing Incident: API Key Reset

High Level Summary of the Security Advisory

JumpCloud is an American enterprise software company headquartered in Louisville, Colorado. It is a comprehensive, open directory platform that customers use to authenticate, authorize, and manage users, devices, and applications.

On July 5, 2023, JumpCloud customers shared screenshots of an email notification (email from JumpCloud), across various public platforms, that informed those customers about the invalidation of their existing admin API keys. Additionally, JumpCloud published a support notification, regarding the JumpCloud API Key Rotation which it took as a cautionary action relating to an ongoing incident. JumpCloud informed its customers that it has invalidated existing admin API keys and provided guidance for affected JumpCloud admins to generate new keys. 

While details of the incident are unknown, JumpCloud clarified that the action was taken with the objective of protecting the organizations and operations of its customers. 

Should I be concerned? 

Maybe. It depends on if you have a relationship with JumpCloud. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.

Note: this link specifically references vendor directory records. You may also want to search your relationships page for “JumpCloud” to confirm.

What to do if you or your vendors have active relationships with JumpCloud

As per the guidance provided, customers who are affected, particularly those who are currently using their API key or relying on integrations that depend on a JumpCloud admin API key, are advised to generate new API keys and update their integrations accordingly. JumpCloud also mentioned that once an admin's API Key is rotated, the old API key associated with that admin will no longer work which will impact any of the following services and integrations:

• AD Import 
• HRIS integrations
• • BambooHR
  • Bob
  • Deel
  • Factorial
• JumpCloud Powershell Module
• Jumpcloud-Slack-App
• Directory Insights Serverless App
• ADMU
• 3rd party MDM Zero-touch packages
• Command Triggers
• Okta SCIM integration
• Azure AD SCIM integration
• Integrations built to create/update users and/or devices using 3rd party tools like Workato, Aquera, Tray,io, etc.
• Automations and custom applications, and any other use cases that involve an Administrators JumpCloud API key. 

JumpCloud provided a guide to reset the API keys and offered a guided simulation for further assistance. The company urged affected customers to follow the provided instructions promptly. 

To access the new API Key:

1. Log in to JumpCloud as an Administrator or Command Runner.
2. In the Admin Portal, click account initials displayed at the top-right and select My API Key from the drop-down.
3. The new API key will be displayed in the resulting dialogue.

In the email notification sent to JumpCloud customers, it was advised to reach out to JumpCloud support at support@jumpcloud.com for any additional assistance or if customers require support with resetting or recreating their API keys.

---------------------------------------------------------------------------

We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback, please let us know at product@visotrust.com.

For any additional questions, please reach out to your customer success manager.

The VISO Trust team

—----------—----------—-----