AI evaluation startup Braintrust confirms breach, tells every customer to rotate sensitive keys

Braintrust, a startup specializing in AI evaluation, has alerted its customers to update their API keys in light of a recent security breach. An email sent to users on Monday, which was reviewed by TechCrunch, disclosed that unauthorized access had been detected in one of its Amazon Web Services (AWS) accounts. This account contained sensitive API keys used by customers to access cloud-based AI services. The startup reassured its clients that they are working closely with only one customer impacted by the breach and have not identified any signs of wider exposure. In the communication, Braintrust emphasized the necessity for all customers to revoke and replace any API keys stored with them. On Tuesday, Braintrust updated its website to reflect the security incident, stating that they had contained the breach. They have locked the affected account, conducted an audit, restricted access across related systems, and rotated internal security measures. The investigation into the breach's cause is still ongoing. Spokesperson Martin Bergman noted that the precautionary measures taken were in response to the confirmed security incident, although he stated that there is no current evidence of a breach affecting more than the one customer. Braintrust's platform is designed to assist companies in monitoring AI models and products. Ankur Goyal, the founder and CEO, has previously described Braintrust as an “operating system for engineers developing AI software.” Earlier this year, the company secured $80 million in Series B funding, reaching a valuation of $800 million. Jaime Blasco, co-founder of cybersecurity firm Nudge Security, highlighted that this incident could have significant implications for AI companies relying on Braintrust’s services. He received the breach notification and emphasized the potential downstream effects on customers. Cybersecurity experts point out that hackers often target corporate accounts on cloud services to steal sensitive information like API keys. Once acquired, these keys allow unauthorized users to access company systems as if they were legitimate users. This breach comes in the wake of similar incidents, including a 2023 breach at CircleCI, which also prompted customers to rotate their stored secrets. Additionally, a recent report from a EU cybersecurity agency indicated that hackers stole 92 gigabytes of data from a compromised AWS account used by the European Commission, affecting multiple EU entities and numerous internal clients.