AI evaluation startup Braintrust has confirmed unauthorized access to one of its Amazon Web Services cloud accounts and is urging every customer to revoke and replace their API keys. The company disclosed the incident on its website on Tuesday, May 6, 2026, after notifying customers by email on Monday.
The compromised AWS account contained API keys that customers use to access cloud-based AI models. Braintrust said it has “locked down the compromised account, audited and restricted access across related systems, and rotated internal secrets,” and described the incident as contained. The cause of the breach remains under investigation.
Despite confirming the incident, the company struck a cautious tone. Spokesperson Martin Bergman told TechCrunch the customer email was sent “out of an abundance of caution” and that “there is no evidence of a breach at this time.” The company also said it has communicated with one impacted customer and found no evidence of broader exposure.
Braintrust provides a platform for companies to monitor AI models and products. Founder and CEO Ankur Goyal has described it as an “operating system for engineers building AI software.” The startup raised $80 million in a Series B round in February 2026, valuing it at $800 million.
Jaime Blasco, co-founder of cybersecurity startup Nudge Security, who received a breach notification from Braintrust, told TechCrunch the incident could have “downstream implications for affected customers” — particularly AI companies that rely on Braintrust’s platform.
The incident echoes a 2023 breach at developer tools company CircleCI, which similarly asked customers to rotate all stored secrets after hackers accessed its systems. Stolen API keys allow attackers to access systems as legitimate users without needing to compromise the target directly, making cloud account breaches a frequent vector for credential theft.
Source: TechCrunch