Identity and access management firm JumpCloud says it reset customers’ API keys after nation-state hackers breached its systems.
JumpCloud, a directory platform that allows enterprises to authenticate, authorize, and manage users and devices, last week told customers that it had reset their API keys “out of an abundance of caution” due to an ongoing, but unspecified security incident.
In a post-mortem of the incident published, JumpCloud said it determined that a nation-state actor gained unauthorized access to its systems and targeted a “small and specific” set of customers.
Jumpcloud hasn’t named the state-backed group but said the threat actor is “sophisticated… with advanced capabilities.”
In its findings, JumpCloud CISO Bob Chan said the first detected anomalous activity on June 27, which it traced back to a spearphishing campaign perpetrated by the threat actor on June 22. The company said at the time that it did not see any evidence of customer impact. Two weeks later, on July 5, JumpCloud said it discovered unusual activity in its commands framework for a small set of customers, revealing some customers were affected This is when the company reset all admin API keys and started notifying affected customers.
“The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers,” Chan said. The exact number of affected customers, and the types of organizations targeted, remains unknown. The company hasn’t said how it determined nation-state hackers were behind the intrusion, and hasn’t responded to a request for comment.
JumpCloud says on its website that it provides its software to more than 180,000 organizations and counts more than 5,000 paying customers. These customers include Cars.com, GoFundMe, Grab, ClassPass, Uplight, Beyond Finance, and Foursquare.
Chan added that the attack vector used by the unnamed state-backed hackers has been mitigated. He added that the company notified law enforcement of the attack and published a list of indicators of compromise (IOCs) to help other organizations identify similar attacks.
“We will continue to enhance our own security measures to protect our customers from future threats and will work closely with our government and industry partners to share information related to this threat,” Chan said.