AI evaluation startup Braintrust confirms the hack occurred, asking each customer to rotate sensitive keys

Artificial intelligence evaluation startup Braintrust has urged customers to revoke and replace their API keys after a previous breach of customer secrets.

According to an email sent to customers on Monday and seen by TechCrunch, the startup confirmed “unauthorized access” to one of its Amazon Web Services cloud accounts, which contains API keys that customers use to access cloud-based AI models.

“We have reached out to one affected customer and have so far found no evidence of broader exposure,” the email said.

The email asks each Recycling Client which API keys it stores with Braintrust.

Trust the mind It has been detected The security incident was posted on its website on Tuesday. “The incident has been contained, and in the meantime, we have locked down the compromised account, audited and restricted access across relevant systems, and shared internal secrets.”

The company said the cause of the violation is under investigation.

Braintrust spokesperson Martin Bergmann told TechCrunch that the company sent the email to customers “out of an abundance of caution,” and that it “confirmed a security incident occurred, but there is no evidence of a breach at this time.”

Braintrust provides a platform designed for companies to monitor AI models and products. Founder and CEO Ankur Goyal He previously told TechCrunch Braintrust is like “an operating system for engineers who build AI software.” startup It raised $80 million In a Series B funding round in February, which valued the company at $800 million.

Jaime Blasco, co-founder of a cybersecurity startup Security boost TechCrunch, which received an email alert of the hack from Braintrust, told TechCrunch that the incident could have “impacts on affected customers,” such as AI companies that rely on Braintrust.

Hackers often target corporate accounts Cloud services Or third-party platforms as an effective way to steal secrets, such as API keys. Once hackers have the API keys, they can log into a company’s or customer’s systems as if they were legitimate users, without having to break into the target company’s systems.

CircleCI, a company that provides development products for software engineers, It suffered a similar cloud data breach In 2023, it similarly asked its customers to share “any and all secrets” they stored with the company.

Recently, the European Union’s cybersecurity agency said Hackers managed to steal 92GB Data from a hacked Amazon Web Services (AWS) account used by the European Commission. The breach affected 29 other EU entities and the data of dozens of internal European Commission clients.