AI evaluation startup Braintrust has advised its customers to immediately revoke and replace their sensitive API keys after confirming a security incident involving unauthorized access to one of its cloud accounts. The breach specifically targeted an Amazon Web Services (AWS) account that housed API keys, which customers utilize to access various cloud-based artificial intelligence models through Braintrust’s platform.

In communications sent to its user base, Braintrust acknowledged the “unauthorized access” and stated that the incident has been contained. The company moved swiftly to lock down the compromised account, conduct audits, restrict access across related systems, and rotate internal secrets to prevent further exposure. While an investigation into the cause of the breach is ongoing, the startup indicated that it has so far identified only one impacted customer and has not found evidence of wider exposure, emphasizing that the directive for all customers to rotate keys was issued “out of an abundance of caution.”

Braintrust provides a critical platform for companies to monitor and evaluate their AI models and products, with its founder and CEO, Ankur Goyal, previously describing it as an “operating system for engineers building AI software.” The company recently secured $80 million in Series B funding, pushing its valuation to $800 million. Cybersecurity experts highlight that incidents involving stolen API keys can have significant “downstream implications,” as these keys allow malicious actors to impersonate legitimate users and access corporate or customer systems without needing to directly infiltrate target companies.

This type of security vulnerability is not uncommon in the tech industry. In 2023, CircleCI, a development product provider, experienced a similar cloud data breach, prompting it to request customers to rotate all stored secrets. More recently, an EU cybersecurity agency reported that hackers compromised an AWS account used by the European Commission, leading to the theft of 92 gigabytes of data and affecting 29 other EU entities along with numerous internal clients. These incidents underscore the persistent threat of cloud service account compromises as a method for stealing sensitive credentials.