Braintrust Security Incident Forces Customer API Key Rotation

AI evaluation platform Braintrust has instructed all customers to replace their stored API keys following a security incident involving one of its Amazon Web Services accounts. The company confirmed unauthorized access to an AWS cloud environment that contained customer API keys used to connect with cloud-based AI models.

In an email to customers reviewed by TechCrunch, Braintrust stated it had communicated with one potentially impacted customer and found no evidence of broader exposure. Still, the company asked every customer to rotate any API keys held within its systems. The incident was disclosed on Braintrust’s website Tuesday, with the company noting that the compromised account has been locked down, access across related systems audited and restricted, and internal secrets rotated. The cause remains under investigation.

Braintrust spokesperson Martin Bergman characterized the customer notification as a precautionary measure, emphasizing that while a security incident was confirmed, there is no evidence of a breach at this time. The company offers a platform for monitoring AI model performance and has been described by its CEO as an operating system for engineers building AI software. Braintrust raised $80 million in Series B funding in February, reaching an $800 million valuation.

Security experts note that API key exposures can have cascading effects for downstream customers, particularly AI companies relying on Braintrust’s services. The incident echoes a 2023 breach at CircleCI, which similarly required customers to rotate all stored secrets. It also follows a recent European Commission breach where hackers exfiltrated 92 gigabytes of data from a compromised AWS account, affecting 29 EU entities.

Source: TechCrunch