AI startup Braintrust confirms breach, urges all customers to rotate keys
▼ Summary
– AI evaluation startup Braintrust confirmed unauthorized access to an AWS cloud account containing customer API keys for AI models.
– The company urged all customers to rotate and replace any API keys stored with Braintrust, citing “abundance of caution.”
– Braintrust stated the incident is contained, access restricted, and internal secrets rotated, with the cause under investigation.
– The breach could have downstream implications for affected customers, like AI companies relying on Braintrust’s platform.
– Hackers often target cloud accounts to steal API keys, allowing them to impersonate legitimate users in targeted systems.
Braintrust, an artificial intelligence evaluation startup, is advising all customers to revoke and replace their API keys following a security incident that exposed customer secrets. The company confirmed that an unauthorized party accessed one of its Amazon Web Services (AWS) cloud accounts, which contained API keys used by clients to connect with cloud-based AI models.
In an email sent to customers on Monday and reviewed by TechCrunch, Braintrust acknowledged the breach. The message stated, “We’ve communicated with one impacted customer and to date have not found evidence of broader exposure.” Despite this, the company urged “every customer to rotate” any API keys stored on its platform.
Braintrust publicly disclosed the incident on its website Tuesday, noting that the breach has been contained. “The incident has been contained, and in the meantime, we’ve locked down the compromised account, audited and restricted access across related systems, and rotated internal secrets,” the company wrote. An investigation into the root cause is ongoing.
Braintrust spokesperson Martin Bergman told TechCrunch that the email was sent “out of an abundance of caution.” He added that while the company “confirmed a security incident, there is no evidence of a breach at this time.”
Braintrust offers a platform that helps companies monitor and evaluate AI models and products. Founder and CEO Ankur Goyal previously described the service as an “operating system for engineers building AI software.” The startup secured $80 million in Series B funding in February, achieving a valuation of $800 million.
Jaime Blasco, co-founder of cybersecurity firm Nudge Security and a recipient of the breach alert, warned that the incident could have “downstream implications for affected customers,” particularly AI companies that depend on Braintrust’s infrastructure.
Cybercriminals often target corporate cloud accounts or third-party platforms to steal sensitive data like API keys. Once obtained, these keys allow attackers to log into company or customer systems as legitimate users, bypassing the need to infiltrate the target’s own network. A similar breach struck CircleCI, a software development tool provider, in 2023, prompting that company to ask customers to rotate “any and all secrets” stored with them.
More recently, a European Union cybersecurity agency reported that hackers stole 92 gigabytes of data from a compromised AWS account used by the European Commission, affecting 29 other EU entities and exposing data from dozens of internal Commission clients.
(Source: TechCrunch)
