JumpCloud, an IT Firm Serving 200,000 Orgs, Says It Was Hacked By Nation-State

An anonymous reader quotes a report from Ars Technica: JumpCloud, a cloud-based IT management service that lists Cars.com, GoFundMe, and Foursquare among its 5,000 paying customers, experienced a security breach carried out by hackers working for a nation-state, the company said last week. The attack began on June 22 as a spear-phishing campaign, the company revealed last Wednesday. As part of that incident, JumpCloud said, the "sophisticated nation-state sponsored threat actor" gained access to an unspecified part of the JumpCloud internal network. Although investigators at the time found no evidence any customers were affected, the company said it rotated account credentials, rebuilt its systems, and took other defensive measures. On July 5, investigators discovered the breach involved "unusual activity in the commands framework for a small set of customers." In response, the company's security team performed a forced-rotation of all admin API keys and notified affected customers. As investigators continued their analysis, they found that the breach also involved a "data injection into the commands framework," which the disclosure described as the "attack vector." The disclosure didn't explain the connection between the data injection and the access gained by the spear-phishing attack on June 22. Ars asked JumpCloud PR for details, and employees responded by sending the same disclosure post that omits such details. Investigators also found that the attack was extremely targeted and limited to specific customers, which the company didn't name. JumpCloud says on its website that it has a global user base of more than 200,000 organizations, with more than 5,000 paying customers. They include Cars.com, GoFundMe, Grab, ClassPass, Uplight, Beyond Finance, and Foursquare. JumpCloud has raised over $400 million from investors, including Sapphire Ventures, General Atlantic, Sands Capital, Atlassian, and CrowdStrike. The company has also published a list of IP addresses, domain names, and cryptographic hashes used by the attacker that other organizations can use to indicate if they were targeted by the same attackers. JumpCloud has yet to name the country of origin or other details about the threat group responsible.

Read more of this story at Slashdot.