JumpCloud invalidated and reset the API keys for all administrators, the company said on a support page posted last week.
The company told customers to update all third-party integrations with newly established keys due to what it described as an ongoing incident.
“Out of an abundance of caution relating to an ongoing incident, JumpCloud has decided to rotate all API keys for JumpCloud admins,” the company said in a support post posted Wednesday and updated Friday.
The cloud directory and access authentication provider did not specify the nature of the incident or respond to a request for comment, but the abrupt decision to reset all API keys could indicate something is amiss.
“If this was a routine process, JumpCloud would probably roll this out to customers over time, not impact all customers at once with such short notice,” William Dupre, senior director analyst on Gartner’s technical professionals security and risk management strategies team, said via email.
JumpCloud provides multi-directory management, identity and access management, multifactor authentication, single sign-on and integration with various third-party services. The Louisville, Colorado-based company said its cloud directory platform is used by more than 180,000 organizations across at least 160 countries.
The now reset API keys act as identifiers to authenticate application and user access to IT resources and services. The mass reset of these keys will break integrations with other services until administrators update integrations with the new API keys.
“Customers use JumpCloud services to enable identity and access management functionality. This could severely affect the ability for those customers to support their own products,” Dupre said.
“It becomes a big challenge when customers may not have good visibility into all the places they use JumpCloud APIs,” Dupre said. "Things will start breaking where they may not be expecting."
JumpCloud customers can access their new API key in their admin portal. The company advised customers to handle their JumpCloud API key with care and generate a new API key if there’s any reason to believe their API key was shared or compromised.
Dupre encouraged JumpCloud administrators to stay abreast of developments, understand the extent of the issue that precipitated the API key reset and make sure to apply any required mitigations.
Security professionals should also, according to Dupre, do a risk assessment of any systems that use JumpCloud services to detect any potential signs of compromise in their infrastructure or services.