Cyber Incident Victim: Braintrust
Date:
May 2026
Location:
—
Summary
Braintrust discovered unauthorized access to an AWS account that stored customer API keys, prompting the immediate lockdown of the affected system and rotation of internal credentials. Upon detection, the firm notified users to revoke and regenerate any keys stored with the platform, and reported that one customer had been confirmed as directly impacted while three others exhibited suspicious usage patterns under review. Investigators found no evidence of broader data exfiltration, and the breach was linked to the use of valid cloud accounts consistent with MITRE ATT&CK technique T1078.004, with the root cause still under review.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 4, 2026, Braintrust detected unauthorized access to one of its Amazon Web Services cloud accounts that stored customer API keys for accessing cloud‑based AI models. The discovery prompted the company to immediately lock down the compromised AWS account and restrict access to related systems. Braintrust also rotated all internal credentials and secrets associated with the affected environment. The initial access vector has not been publicly disclosed, but the response actions indicate a compromise of cloud credentials.

Following the containment steps, Braintrust notified customers on May 5, 2026, advising them to revoke and regenerate any API keys stored with the platform. As of the latest verified reports, only one customer has been confirmed as directly affected by the breach, while three additional customers reported suspicious spikes in AI provider usage that are under investigation. There is no evidence of broader exposure or data exfiltration from the incident at this time. The breach highlights the risks associated with storing sensitive credentials in third‑party AI platforms.
Braintrust engaged incident response experts to conduct a comprehensive audit of the affected systems and to review activity logs for signs of misuse. The company stated that it is implementing additional safeguards, such as timestamps and user attribution for API key changes, to prevent recurrence. The attack method aligns with the MITRE ATT&CK technique T1078 (Valid Accounts), specifically T1078.004 (Cloud Accounts), though no malware, persistence mechanisms, or unique threat actor tactics have been identified. The cause of the breach remains under investigation, and Braintrust continues to monitor for any further anomalous activity.
