An AWS Breach at Braintrust Exposed the Keys to Your AI Stack. Every Eval Tool Is a Credential Warehouse Now.

On May 4, 2026, an unauthorized actor accessed one of Braintrust’sAmazon Web Services accounts and likely obtained the org-level AI provider API keys that the platform stores on behalf of its customers. Braintrust — an AI evaluation and observability startup valued at $800 million after a February 2026 Series B — locked down the compromised account the same day, rotated internal secrets, and the next morning told every customer to rotate any API keys they had stored with the platform.

The company confirmed at least one customer was directly affected, with three additional customers reporting unusual spikes in AI provider usage consistent with unauthorized API calls. No evidence of broader data exfiltration was found at the time of disclosure. Spokesperson Martin Bergmantold TechCrunch the notification was sent “out of an abundance of caution” — while also confirming a security incident had occurred.

The incident is modest in confirmed scope. It is significant as a structural signal: AI observability and evaluation platforms now sit at the center of every enterprise AI stack, holding credentials that can authorize spending, access training data, and impersonate legitimate customers across dozens of downstream AI services. That makes them a tier-one target — and the Braintrust breach is the latest in a string of incidents that make the threat concrete.

• May 4, 2026 — date Braintrust detected unauthorized access to its AWS account — customers notified the following morning · Source: TechCrunch, SecurityWeek
• 1 confirmed + 3 suspicious — customers affected: one directly confirmed, three more with unexplained AI provider usage spikes under investigation · Source: Security Affairs, Rescana
• $800M — Braintrust valuation after its $80M Series B led by ICONIQ in February 2026 — Notion, Stripe, Vercel, Dropbox, and Cloudflare are among its customers · Source: TechCrunch
• 70% — of organizations have integrated at least one AI or MCP third-party package, often without central security oversight — Tenable Cloud and AI Security Risk Report 2026

Braintrust (braintrust.dev) is an AI observability, evaluation, and logging platform that engineering teams use to monitor LLM applications in production. The company’s own description: “AI fails differently than normal software. You need a new kind of observability to monitor and fix it.” Practically, that means Braintrust sits between a company’s application code and the AI model APIs it calls — tracing every prompt, response, token count, latency, and cost across providers including OpenAI, Anthropic, Google, and others.

To do that job, Braintrust stores the API keys companies use to authenticate with those providers. That credential storage is not incidental — it is central to the product’s value. Its customers include Notion, Stripe, Vercel, Airtable, Instacart, Zapier, Ramp, Dropbox, Cloudflare, and Coursera, according to its website. In February 2026, the company closed an $80 million Series B led by ICONIQ Growth, with Andreessen Horowitz, Greylock, and Elad Gil participating, at a valuation of $800 million.

Keep Reading

AI · Hardware

NVIDIA Brings Its Superchip Architecture to the Windows PC

Read →

At some point before May 4, 2026, an unauthorized actor gained access to one of Braintrust’s internal AWS accounts. The attack method maps to MITRE ATT&CK T1078.004(Valid Cloud Accounts) — using legitimately obtained or stolen credentials to access AWS resources while appearing as an authorized user. Braintrust has not disclosed how the attacker acquired the initial foothold.

The compromised account “likely exposed” org-level AI provider API keys stored within the platform, Braintrust said in its disclosure. Those keys function as machine passwords: a holder can authenticate as the customer organization, call AI models, incur billing costs, and access associated data — all while appearing as a legitimate user in the provider’s logs. After detecting suspicious activity on May 4, the company locked down the affected account, audited and restricted access across related systems, rotated its own internal secrets, and engaged outside incident response experts. On May 5, customers received an email with indicators of compromise and instructions to rotate keys immediately.

“This is the new shape of supply chain risk: every AI eval, observability, and gateway tool a company adopts becomes a credential warehouse, and those warehouses are now a tier-one target.”

Jaime Blasco, CTO, Nudge Security · quoted in SecurityWeek, May 2026

Braintrust confirmed one customer was directly affected by the breach. Three additional customers reported anomalous spikes in AI provider usage — consistent with unauthorized API calls using exposed credentials — though those cases remained under investigation at the time of disclosure. The company stated it had found no evidence of broader customer data exposure “to date.”

Nudge Security CTO Jaime Blascooutlined the potential blast radius to SecurityWeek: the org-level AI provider keys possibly exposed in the incident were held for AI-forward companies including Box, Cloudflare, Dropbox, Notion, Ramp, and Stripe. A single compromised key for one of those customers would allow an attacker to call AI model APIs at the victim’s expense, potentially access training data or stored prompts, and evade detection because requests appear as legitimate traffic.

Braintrust said it planned to add safeguards including timestamps and user attribution for API key changes — a response to the fact that, at the time of the incident, the platform lacked an audit trail showing which internal processes accessed stored customer credentials and when.

Keep Reading

AI · Privacy · Copyright · Litigation

OpenAI vs the New York Times: The Fight Over Your ChatGPT Logs

Read →

The Braintrust incident did not occur in isolation. It fits a documented and accelerating pattern in 2025 and 2026 in which attackers systematically target the tooling layer of the AI ecosystem rather than individual AI models or end-user applications.

The most technically significant parallel is the LiteLLM supply chain compromiseof March 2026. LiteLLM is an open-source Python library with roughly 95 million monthly downloads used by developers to route API calls across LLM providers. On March 24, 2026, a threat group identified as TeamPCP gained access to the LiteLLM maintainer’s PyPI publishing credentials and pushed two malicious versions (1.82.7 and 1.82.8) to the Python Package Index. The payload — a .pth file that auto-executes on every Python interpreter start — targeted AWS, GCP, and Azure credentials, SSH keys, and Kubernetes secrets, according to Trend Micro’s research on the compromise. Reporting on that incident described a major AI-training vendor having a large volume of data exfiltrated — a reminder that a single poisoned dependency can cascade across the AI tooling that many companies share.

“The blast radius isn’t Braintrust, it’s every downstream customer’s AI stack.”

Jaime Blasco, CTO, Nudge Security · SecurityWeek, May 2026

The security research community reacted quickly. Blasco’s formulation — that AI tooling platforms are now “credential warehouses” and “tier-one targets” — circulated widely as shorthand for the structural shift. The concern is not specific to Braintrust: any platform that sits between application code and AI provider APIs, and must hold credentials to fulfill that role, faces the same exposure surface.

Rescana’s incident analysis noted that the breach maps directly to MITRE ATT&CK T1078.004, and emphasized that the attack method leaves no malware footprint — requests using the exposed keys appear as normal, authenticated traffic in both Braintrust’s logs and the downstream AI provider’s logs. That makes detection dependent on behavioral anomaly detection (usage spikes, unusual request patterns, geographic anomalies), not signature-based tools.

Federal guidance on precisely this category of risk has been accumulating. In May 2025, the NSA Artificial Intelligence Security Center, CISA, and the FBI — alongside allied agencies from Australia, the United Kingdom, and New Zealand — released a joint advisory titled “AI Data Security: Best Practices for Securing Data Used to Train and Operate AI Systems.” It identified unauthorized access, data tampering, and inadvertent credential leakage as the primary risk categories for deployed AI systems, and directed organizations to apply the NIST AI Risk Management Framework accordingly.

In March 2026, the NSA and seven allied national cybersecurity agencies released a broader document, “Artificial Intelligence and Machine Learning — Supply Chain Risks and Mitigations,” defining a six-component AI/ML supply chain (training data, models, software, infrastructure, hardware, and third-party services) and recommending AI Bills of Materials, cryptographic integrity validation, and mandatory threat modeling across the full AI pipeline. The Braintrust incident falls squarely in the “third-party services” component: an AI SaaS platform holding customer credentials as a function of its core service.

Tenable’s 2026 research — drawn from anonymized telemetry across public cloud and enterprise environments from April to December 2025 — found that 18% of organizations have granted AI services administrative permissions that are rarely audited, and that 52% of non-human identities (AI agents, service accounts, API integrations) carry higher risk than their human-user equivalents because they are less frequently reviewed and rotated. The Braintrust breach is, in part, a story about non-human identity hygiene: credentials issued to a platform’s internal AWS processes that were not sufficiently isolated, monitored, or rotated.

More From Civic Intelligence

AI · Tech · Space · Blue Origin · New Glenn · Cape Canaveral

Blue Origin Destroyed Its Only Launch Pad in One Explosion. Jeff Bezos Has Been Trying to Build Rockets for 25 Years.

Blue Origin's New Glenn rocket exploded at Cape Canaveral during a May 28, 2026 static fire test,…

AI · Tech · Apple · iOS 27 · Siri · WWDC 2026 · Google Cloud

Apple Promised Privacy. iOS 27's New Siri Runs on Google Cloud. Your Complex Queries Go to Nvidia GPUs.

Mark Gurman's Bloomberg report on iOS 27: the biggest Siri overhaul in 15 years — conversation…

Last updated June 14, 2026