AI Evaluation Startup Braintrust Confirms Breach, Urges All Customers to Rotate API Keys

AI evaluation startup Braintrust has confirmed a security incident involving unauthorized access to one of its Amazon Web Services (AWS) cloud accounts, prompting an urgent directive to all customers to revoke and replace their sensitive API keys. The incident, which came to light through an email sent to customers on Monday and obtained by TechCrunch, revealed that the compromised AWS account housed critical API keys utilized by customers to access cloud-based AI models. This swift advisory underscores the potential risk associated with such credentials. Initially, Braintrust's communication indicated that they had identified "one impacted customer" and, at that time, had not found evidence of broader exposure. However, out of what a company spokesperson later described as "an abundance of caution," the startup proactively instructed "every customer to rotate" any API keys they had stored with Braintrust. This broad recommendation highlights the severity of the potential vulnerability, even if the full extent of the compromise was still under investigation. The company moved quickly to contain the incident, disclosing on its website that the "incident has been contained." Measures taken include locking down the compromised account, auditing and restricting access across related systems, and rotating internal secrets to prevent further unauthorized access. While Braintrust confirmed a "security incident," spokesperson Martin Bergman clarified to TechCrunch that "there is no evidence of a breach at this time," suggesting that while unauthorized access occurred, conclusive proof of data exfiltration or misuse of keys had not yet been established. The precise cause of the breach remains under active investigation. Braintrust, founded by CEO Ankur Goyal, positions itself as an "operating system for engineers building AI software," providing a platform for companies to monitor AI models and products. The startup recently secured $80 million in a Series B funding round in February, valuing the company at $800 million. The incident raises concerns about the security posture of critical infrastructure supporting the burgeoning AI industry, especially given Braintrust's role in evaluating AI models. Cybersecurity experts are weighing in on the potential repercussions. Jaime Blasco, co-founder of Nudge Security, who also received a breach alert, warned of "downstream implications for affected customers," particularly AI companies that rely on Braintrust's services. This incident serves as a stark reminder of the persistent threat posed by hackers targeting corporate accounts on cloud services or third-party platforms to steal sensitive credentials like API keys. Once acquired, these keys can grant attackers legitimate-appearing access to company or customer systems, bypassing traditional security measures. Similar incidents have impacted other major entities, including CircleCI in 2023 and, more recently, an AWS account used by the European Commission, underscoring a widespread vulnerability in cloud-based ecosystems.