Braintrust confirms AWS security incident and mandates API key rotation for all users
Startup says there is no evidence of data exfiltration beyond one customer, yet the incident mirrors recent security failures in the cloud engineering sector.
AI evaluation startup Braintrust has notified its user base of an unauthorized access incident involving one of its Amazon Web Services cloud accounts. The compromised environment contained sensitive API keys that customers utilise to access cloud-based AI models. In response, the company has instructed every user to immediately revoke and replace these credentials to ensure security across their infrastructure.
While the incident has been contained and the specific AWS account locked down, the root cause of the breach remains under investigation. Braintrust stated on its website that it has audited and restricted access across related systems and rotated internal secrets. A spokesperson, Martin Bergman, told TechCrunch that the notification was sent out of an abundance of caution, noting that while a security incident was confirmed, there is currently no evidence of a breach in the sense of data exfiltration beyond the single impacted customer.
The urgency of the directive stems from the nature of the compromised data. Cybersecurity experts, including Jaime Blasco of Nudge Security, warn that stolen API keys allow attackers to log into systems as legitimate users without needing to breach the target's primary defences. This creates potential downstream risks for AI companies relying on the platform, as hackers can access systems appearing as if they are authorised personnel.
Braintrust describes itself as an operating system for engineers building AI software and recently raised $80 million in Series B funding, valuing the company at $800 million. Despite this growth, the security lapse highlights vulnerabilities in how third-party platforms manage secrets. The company confirmed the incident on its website on Tuesday, following an email sent to customers on Monday.
This event mirrors a similar breach at CircleCI in 2023, which also required customers to rotate secrets stored on their platform. More recently, a major AWS breach involving the European Commission saw hackers steal 92 gigabytes of data from a compromised account, affecting multiple EU entities. These precedents underscore the critical importance of the immediate actions Braintrust is now mandating for its user base.
As the investigation concludes, the alignment between the company's statement regarding no evidence of data leakage and the internal forensic findings will remain to be seen. Until then, the focus remains on the immediate mitigation steps required to protect the integrity of the systems connected to the compromised account.
