Braintrust Calls for AI API Key Rotation After AWS Account Compromise

Context AI observability platform Braintrust discovered suspicious activity on May 4 in one of its Amazon Web Services (AWS) accounts. The company locked the account, revoked internal credentials, and engaged external incident‑response specialists. Within 24 hours, customers were notified and given remediation steps.

Key Facts - The breach involved unauthorized access to a single AWS account that stored organization‑level API keys for cloud‑based AI models. - Braintrust verified that one customer’s data was compromised. Three additional customers reported abnormal spikes in AI usage, which are still under investigation. - As a precaution, Braintrust instructed all customers to rotate any AI provider keys stored in its platform. The firm also plans to add timestamps and user attribution for future key changes. - No broader exposure has been identified so far, but the incident highlights the growing risk of AI supply‑chain attacks where threat actors target cloud credentials to abuse downstream services.

What It Means The exposure of valid AI API keys allows attackers to consume paid AI services while appearing as legitimate users, bypassing traditional network defenses. Because AI providers bill per request, compromised keys can generate significant unexpected costs and potentially leak proprietary prompts or data. Organizations that rely on third‑party SaaS platforms to manage these secrets now face an additional attack surface: the SaaS provider’s own cloud environment.

Mitigations - Rotate all organization‑level AI provider keys immediately and generate new credentials through the AI vendor’s console. - Enforce least‑privilege IAM policies on cloud accounts that store secrets; restrict access to only those roles that require it. - Enable multi‑factor authentication (MFA) for all privileged users on AWS and any SaaS platform handling secrets. - Implement secret‑management tooling that logs access events, timestamps changes, and attributes actions to specific users. - Monitor usage patterns for AI services; set alerts for sudden spikes in request volume or cost. - Apply AWS GuardDuty and IAM Access Analyzer to detect anomalous credential use and overly permissive policies. - Conduct regular audits of stored API keys and retire any that are no longer in use.

Looking Ahead Watch for updates from Braintrust on additional safeguards and any further customer disclosures as the investigation progresses.