Braintrust confirms security breach, urges customers to rotate sensitive API keys

AI evaluation startup Braintrust has confirmed a security incident involving unauthorised access to one of its Amazon Web Services (AWS) cloud accounts and is now urging customers to revoke and replace sensitive API keys stored on its platform.

According to an email sent to customers on Monday and reviewed by the company, the company acknowledged that an attacker gained “unauthorised access” to an AWS cloud account containing customer API keys used for accessing cloud-based AI models.

“We’ve communicated with one impacted customer and to date have not found evidence of broader exposure,” the company stated in the email.

Despite saying there is currently no evidence of widespread customer impact, Braintrust advised all customers to rotate any API keys stored with the company as a precautionary measure.

The startup publicly disclosed the incident on its website on Tuesday, explaining that the breach had been contained. Braintrust said it had locked down the compromised account, audited and restricted access across related systems, and rotated its own internal secrets following the discovery of the issue.

The company also confirmed that the root cause of the breach remains under investigation.

Braintrust spokesperson Martin Bergman said that the company contacted customers “out of an abundance of caution” and emphasised that while a security incident had been confirmed, the company had “no evidence of a breach at this time.”

Braintrust operates a platform designed to help companies evaluate, monitor, and improve AI models and AI-powered applications. Founder and CEO Ankur Goyal previously described the platform as an “operating system for engineers building AI software.” Earlier this year, the company raised $80 million in a Series B funding round, valuing the startup at approximately $800 million.

Jaime Blasco, co-founder of cybersecurity startup Nudge Security, who received the breach notification from Braintrust, said the incident could create “downstream implications for affected customers,” particularly for AI companies that depend on Braintrust’s infrastructure and services.

Cybercriminals frequently target cloud accounts and third-party platforms because these accounts and platforms often contain sensitive credentials and API keys. Once attackers obtain API keys, they can access systems as legitimate users, bypassing traditional login protections without directly hacking into a company’s internal network.

The incident echoes previous high-profile cloud-related security breaches. In 2023, software development company CircleCI suffered a similar compromise involving customer secrets stored in cloud infrastructure and urged users to rotate “any secrets” connected to its systems.

More recently, a cybersecurity agency in the European Union disclosed that hackers stole approximately 92 gigabytes of data from a compromised AWS account used by the European Commission. That breach reportedly impacted 29 additional EU entities and exposed data belonging to dozens of internal European Commission clients.