AI evaluation startup Braintrust has urged customers to revoke and replace their API keys after a previous breach of client secrets.
According to an email sent to customers on Monday and seen by TechCrunch, the startup confirmed “unauthorized access” to one of its Amazon Web Services (AWS) cloud accounts, which contained API keys used by customers to access cloud-based AI models.
“We have contacted an affected customer and to date have found no evidence of a wider exposure,” the email read.
The email asked “each customer to rotate” any of the API keys they store with Braintrust.
Brain trust show up the security incident on its website on Tuesday. “The incident has been contained and in the meantime, we have locked the compromised account, audited and restricted access to relevant systems, and exchanged internal secrets.”
The company said the cause of the breach is under investigation.
Braintrust spokesman Martin Bergman told TechCrunch that the company sent the email to customers “out of an abundance of caution” and that it “has confirmed a security incident, but there is no evidence of a breach at this time.”
Techcrunch event
San Francisco, California
|
13-15 October 2026
Braintrust provides a platform designed for companies to track AI models and products. Founder and CEO Ankur Goyal told TechCrunch that Braintrust is like an “operating system for engineers building AI software.” The startup raised $80 million in a Series B funding round in February that valued the company at $800 million.
Jaime Blasco, the co-founder of the cybersecurity startup Nudge Security who received an email notification of a breach from Braintrust, told TechCrunch that the incident could have “results for affected customers,” such as the AI companies that rely on Braintrust.
Contact us
Do you have more information about this breach? Or other data breaches? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
Hackers often target corporate accounts on cloud services or third-party platforms as an effective way to steal secrets such as API keys. Once hackers get their hands on the API keys, they can log into the company or their customers’ systems by pretending to be legitimate users, without having to break into the target company’s systems.
CircleCI, a company that provides development products for software engineers, was hit with a similar cloud data breach in 2023 and similarly asked its customers to exchange “any and all secrets” they had stored with the company.
Most recently, an EU cybersecurity agency said hackers were able to steal 92 gigabytes of data from a compromised AWS account used by the European Commission. The breach affected 29 other EU entities and the data of dozens of internal customers of the European Commission.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
