AI assessment startup Braintrust is calling on customers to revoke and replace their API keys after a previous breach of customer secrets.
According to an email TechCrunch sent to customers on Monday, the company confirmed “unauthorized access” to one of its Amazon Web Services cloud accounts, which contained an API key that customers use to access cloud-based AI models.
“We have contacted one affected customer, but to date we have found no evidence of broader infection,” the email said.
The email asked them to “rotate the API keys stored in Braintrust to all customers.”
Braintrust disclosed the security incident on its website on Tuesday. “The incident was contained, during which we locked down the compromised accounts, audited and restricted access across related systems, and rotated internal secrets.”
The company said the cause of the breach was under investigation.
Braintrust spokesperson Martin Bergman told TechCrunch that the company sent an email to customers “out of an abundance of caution” and that “a security incident has been confirmed, but there is no evidence of a breach at this time.”
tech crunch event
San Francisco, CA | October 13-15, 2026
Braintrust provides a platform designed for enterprises to monitor their AI models and products. Founder and CEO Ankur Goyal previously told TechCrunch that Braintrust is like an “operating system for engineers building AI software.” The startup raised $80 million in a Series B funding round in February, valuing the company at $800 million.
Jaime Blasco, co-founder of cybersecurity startup Nudge Security, which received a breach email alert from Braintrust, told TechCrunch that the incident could have “downstream implications for affected customers” as well as AI companies that rely on Braintrust.
Contact Us Do you have more information about this breach? Or are there other data breaches? You can contact Lorenzo Franceschi-Bicchierai securely from a non-work device on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email.
Hackers frequently target corporate accounts on cloud services and third-party platforms as an effective way to steal secrets such as API keys. Once a hacker has an API key, they can log into a company's or customer's system as if they were a legitimate user without ever breaking into the target company's systems.
CircleCI, a company that provides development products for software engineers, suffered a similar cloud data breach in 2023 and similarly asked its customers to rotate “any secrets” stored with the company.
Just recently, the EU Cybersecurity Agency announced that hackers were able to steal 92 gigabytes of data from a compromised Amazon Web Services (AWS) account used by the European Commission. The breach affected data of customers within 29 other EU organizations and dozens of European Commissions.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.