AI evaluation and observability platform Braintrust urged customers this week to rotate API keys that may have been compromised after hackers accessed an AWS account.
The incident, the company says, was discovered on May 4, after receiving a report of suspicious behavior, and was communicated to customers via email on May 5. The message also included indicators of compromise (IOCs) and remediation steps.
Immediately after learning of the incident, Braintrust locked down the compromised account, audited related systems and restricted access to them, rotated internal secrets, and launched an investigation into the matter.
The internal AWS account used by its systems, Braintrust says, likely provided the attackers with access to API keys that organizations use to access AI models.
“As a precaution, we recommend that all customers rotate any org-level AI provider keys used with Braintrust,” the company said in an incident notice.
According to the company, at least one customer has been affected by the incident, with three other customers reporting suspicious spikes in AI provider usage.
“We have not identified broader customer exposure based on our investigation to date, but as a precaution we informed all org admins with stored AI provider secrets in Braintrust. The investigation is ongoing,” the company says.
Braintrust recommends that customers access their org-level settings page, delete or revoke the existing secrets, configure new secrets, and confirm that they were rotated by checking their timestamps.
The org-level AI provider API keys potentially exposed in the incident were likely stored for AI-forward companies such as Box, Cloudflare, Dropbox, Notion, Ramp, Stripe, and others, Nudge Security CTO Jaime Blasco told SecurityWeek.
“The blast radius isn’t Braintrust, it’s every downstream customer’s AI stack, and a single SaaS compromise fans out across dozens of LLM provider accounts. This is the new shape of supply chain risk: every AI eval, observability, and gateway tool a company adopts becomes a credential warehouse, and those warehouses are now a tier-one target,” Blasco said.
Related: Edtech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats
Related: Vimeo Confirms User and Customer Data Breach
Related: Luxury Cosmetics Giant Rituals Discloses Data Breach
Related: Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak
