Braintrust Security Breach: AI Startup Urges All Customers to Rotate API Keys After AWS Compromise

What Happened at Braintrust

Here's the thing about API keys — they're basically the skeleton keys to your entire cloud infrastructure. And when a company that holds those keys for you gets breached, that's not a small problem. That's everyone's problem.

Braintrust, an AI evaluation startup, confirmed unauthorized access inside one of its Amazon Web Services accounts. That account, it turns out, contained API keys that customers use to access cloud-based AI models. The company moved fast: it sent an email to customers on Monday urging every single one of them to revoke and replace any API keys stored with Braintrust.

The email didn't sugarcoat it. It confirmed "unauthorized access" and, while noting that only one customer had been identified as directly impacted so far, Braintrust wasn't taking chances — asking every customer to rotate their keys regardless.

The Breach Disclosure and What Braintrust Says Publicly

Braintrust published a formal disclosure on its trust page on Tuesday. According to that notice, the incident has been contained. The company says it locked down the compromised account, audited and restricted access across related systems, and rotated its own internal secrets.

But — and this matters — the root cause is still under investigation. They don't yet know exactly how this happened.

A company spokesperson told reporters the email went out "out of an abundance of caution," adding that while a security incident was confirmed, there's "no evidence of a breach at this time." That's a careful distinction. Whether customers find it reassuring probably depends on how much they trust that framing.

Why This Kind of Breach Is So Dangerous

Think about it this way: when hackers get their hands on API keys, they don't need to "break in" anymore. They just walk through the front door looking like a legitimate user. No alarms, no red flags, no obvious intrusion. That's what makes stolen API keys so particularly nasty.

This isn't a new playbook. Targeting corporate accounts on cloud platforms or third-party services has become one of the most effective ways for hackers to steal secrets. CircleCI — a development tools company — dealt with almost the exact same scenario back in 2023, asking customers to rotate "any and all secrets" after a similar cloud data breach. More recently, a compromised AWS account used by the European Commission led to hackers stealing 92 gigabytes of data, affecting 29 EU entities in the process.

The pattern is clear. Cloud-stored secrets are a high-value target. And when a third-party platform gets hit, the blast radius extends to every customer who trusted that platform with their keys.

Who Is Braintrust

Braintrust isn't a small operation anymore. The company — which its CEO once described as an "operating system for engineers building AI software" — raised $80 million in a Series B round in February, putting its valuation at $800 million. Its platform is designed to help companies monitor AI models and products. Which means its customers tend to be AI companies themselves.

That's the downstream risk here. A cybersecurity expert who received the breach notification pointed out that the incident could have "downstream implications for affected customers" — meaning AI companies that rely on Braintrust could themselves be exposed if compromised keys were used before they were rotated.