Braintrust confirms unauthorized access to an AWS cloud environment holding customer AI provider API keys. The $800M startup urges all customers to rotate credentials immediately amid an ongoing investigation

Continue reading
AI evaluation startup Braintrust has confirmed a security breach of one of its Amazon Web Services cloud environments, notifying its entire customer base by email on Monday, May 5, 2026, and urging every customer to immediately revoke and rotate any API keys they had stored within the platform.
The company disclosed the incident publicly on its trust portal on Tuesday, confirming that the compromised AWS account contained API keys customers had entrusted to Braintrust for accessing cloud-based AI models — credentials that, if extracted and abused, would give attackers authenticated access to those models while appearing as fully legitimate users.
The breach notification email, reviewed by TechCrunch, stated that Braintrust had communicated directly with one confirmed impacted customer and had found no evidence of broader exposure at that point. However, the company's decision to issue a platform-wide key rotation advisory — covering every customer, not just the one confirmed affected — signals that its internal investigation has not yet ruled out wider access, and that the precautionary scope of the incident is materially larger than the confirmed scope.
For security teams tracking AI platform supply chain breaches, this incident is a textbook illustration of why third-party credential storage in AI tooling infrastructure represents one of the most underappreciated attack surfaces in the modern enterprise.
To appreciate why this breach carries downstream risk that extends well beyond Braintrust itself, it is important to understand what the platform actually does — and what kinds of credentials its customers hand over to it.
Braintrust positions itself, in the words of founder and CEO Ankur Goyal, as an "operating system for engineers building AI software." More specifically, it is an AI evaluation and observability platform — a layer that sits between AI engineering teams and the underlying models they build on top of, designed to help organizations monitor model outputs, track regressions, score responses, run evals, and catch hallucinations or quality degradations before they reach production.
To do that job, Braintrust needs to interact with the AI models its customers rely on — which means customers must supply their API keys for services like OpenAI, Anthropic, Google Gemini, or AWS Bedrock directly to Braintrust's infrastructure. Those keys are stored in Braintrust's cloud environment and used programmatically to run evaluation pipelines on behalf of customers.
That architectural reality is precisely what makes the breach significant. The compromised AWS account did not just hold Braintrust's internal operational data. It held the access credentials that Braintrust's customers use to authenticate to their own AI providers. An attacker who exfiltrated those keys does not need to breach OpenAI's infrastructure, or Google's, or Anthropic's. They already have authenticated credentials that let them call those APIs — consume tokens, exfiltrate model outputs, probe production systems — while appearing as a legitimate, recognized user.
This is the downstream implication that Jaime Blasco, co-founder of cybersecurity startup Nudge Security and a recipient of Braintrust's breach notification, flagged when he described the potential for "downstream implications for affected customers." The exposure is not just Braintrust's — it is every customer whose keys lived in that compromised environment.
API key theft is among the most quietly effective credential attack vectors in cloud-native environments, and it is one that cloud-based credential theft campaigns have exploited with increasing frequency and sophistication.
Unlike password-based authentication, API keys are typically long-lived, do not require multi-factor authentication to use, and are often scoped with broad permissions to accommodate the service integrations they support. When an application like Braintrust stores a customer's AI provider API key, that key is usually granted enough privilege to make production-grade inference calls — meaning an attacker who obtains it can immediately begin impersonating the customer against the target API.
Critically, API keys do not announce their misuse. There is no login alert, no MFA push, no session anomaly — just a sequence of authenticated API calls that looks, from the outside, indistinguishable from normal application behavior. The victim organization may not detect the compromise until they notice unexpected token consumption on their billing dashboard, or until a model provider flags anomalous usage patterns from an unusual geography or IP range.
This is why Braintrust's notification urges rotation of all stored keys immediately — because as long as a valid key exists, an attacker holding a copy of it retains persistent authenticated access without any further exploitation required.
The targeting of third-party platforms' cloud environments to harvest customer secrets is not a novel tactic. It is a well-established and highly effective adversarial playbook, and the Braintrust breach fits into a clear pattern of escalating incidents against cloud-hosted developer tooling and AI infrastructure.
CircleCI, the developer-focused continuous integration and delivery platform, suffered a nearly identical cloud breach in early 2023, in which attackers compromised an internal system holding customer secrets and forced a company-wide advisory for customers to rotate "any and all secrets" stored with the service. The structural similarity to the Braintrust incident is striking: a developer tooling platform, secrets stored in cloud infrastructure, a precautionary full-customer rotation advisory.
More recently, the European Union's cybersecurity landscape was shaken when the EU Agency for Cybersecurity confirmed that hackers extracted 92 gigabytes of data from a compromised AWS account used by the European Commission, an incident that cascaded through 29 other EU entities and exposed data belonging to dozens of internal clients. The attack vector was the same: compromise a cloud account, exfiltrate what it contains, leverage the access it provides.
The recurring theme across all of these incidents is that attackers are not trying to break cryptography or reverse-engineer zero-day exploits. They are targeting the organizational trust relationships baked into developer and AI tooling platforms — the implicit assumption that the SaaS tool holding your credentials is itself hardened against attack. When that assumption fails, the customer bears the credential exposure.
For organizations building AI pipelines and evaluations on top of platforms like Braintrust, this incident is a direct prompt to audit third-party AI tooling credential exposure risks across their entire vendor stack — not just in response to this specific breach, but as a standing security hygiene practice.
Braintrust says it has taken the following containment actions in the wake of the discovered intrusion: locking down the compromised AWS account, conducting a full audit of access across related systems, and rotating internal secrets. The company's public trust portal update characterized the incident as contained.
Braintrust spokesperson Martin Bergman drew a careful distinction in a statement to TechCrunch, describing the customer email as being sent _"out of an abundance of caution" and noting that while the company confirmed a security incident, there is "no evidence of a breach at this time."_ That phrasing — confirming an incident while declining to call it a breach — is a deliberately chosen formulation that organisations frequently use in the early stages of incident investigation, before the forensic scope has been fully established.
The root cause of how the AWS account was compromised remains under active investigation. Braintrust has not disclosed whether the intrusion involved compromised internal credentials, a misconfigured cloud resource, a vulnerability in a connected service, or some other attack vector. Until that root cause is established, the full scope of what may have been accessed cannot be conclusively determined, which is precisely why the company's "rotate everything" advisory to customers is the operationally correct response regardless of the investigation's current findings.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been