AI evaluation startup Braintrust confirms breach, tells every customer to rotate sensitive keys
AI evaluation startup Braintrust confirms breach, tells every customer to rotate sensitive keys
AI 评估初创公司 Braintrust 确认发生数据泄露,要求所有客户轮换敏感密钥
AI evaluation startup Braintrust has urged customers to revoke and replace their API keys after an earlier breach of customer secrets. According to an email sent to customers Monday and seen by TechCrunch, the startup confirmed “unauthorized access” in one of its Amazon Web Services (AWS) cloud accounts, which contained API keys used by customers for accessing cloud-based AI models. AI 评估初创公司 Braintrust 在发生客户机密泄露事件后,已敦促客户撤销并更换其 API 密钥。根据 TechCrunch 看到的一封周一发送给客户的电子邮件,该公司确认其一个亚马逊云科技(AWS)账户遭到“未经授权的访问”,该账户中存储了客户用于访问云端 AI 模型的 API 密钥。
“We’ve communicated with one impacted customer and to date have not found evidence of broader exposure,” read the email. The email asked “every customer to rotate” any of the API keys that they store with Braintrust. Braintrust disclosed the security incident on its website on Tuesday. “The incident has been contained, and in the meantime, we’ve locked down the compromised account, audited and restricted access across related systems, and rotated internal secrets.” The company said the cause of the breach is under investigation. 邮件中写道:“我们已与一位受影响的客户进行了沟通,迄今为止尚未发现更大范围泄露的证据。”邮件要求“每一位客户轮换”他们存储在 Braintrust 的所有 API 密钥。Braintrust 于周二在其网站上披露了此次安全事件。“该事件已得到控制,在此期间,我们已锁定受损账户,对相关系统进行了审计并限制了访问权限,并轮换了内部机密。”该公司表示,泄露原因正在调查中。
Braintrust spokesperson Martin Bergman told TechCrunch that the company sent the email to customers “out of an abundance of caution” and that it “confirmed a security incident, but there is no evidence of a breach at this time.” Braintrust 发言人 Martin Bergman 对 TechCrunch 表示,公司向客户发送该邮件是“出于极其谨慎的考虑”,并称公司“确认发生了一起安全事件,但目前没有证据表明发生了数据泄露”。
Braintrust provides a platform designed for companies to monitor AI models and products. Founder and CEO Ankur Goyal previously told TechCrunch that Braintrust is like an “operating system for engineers building AI software.” The startup raised $80 million in a Series B funding round in February, which valued the company at $800 million. Braintrust 提供了一个旨在帮助企业监控 AI 模型和产品的平台。创始人兼首席执行官 Ankur Goyal 此前曾告诉 TechCrunch,Braintrust 就像是“为构建 AI 软件的工程师准备的操作系统”。该初创公司在 2 月份的 B 轮融资中筹集了 8000 万美元,公司估值达到 8 亿美元。
Jaime Blasco, the co-founder of cybersecurity startup Nudge Security who received a breach email alert from Braintrust, told TechCrunch that the incident could have “downstream implications for affected customers,” like AI companies that rely on Braintrust. 网络安全初创公司 Nudge Security 的联合创始人 Jaime Blasco 收到了来自 Braintrust 的泄露警报邮件,他告诉 TechCrunch,此次事件可能会对受影响的客户产生“下游影响”,例如那些依赖 Braintrust 的 AI 公司。
Hackers frequently target corporate accounts on cloud services or third-party platforms as an effective way of stealing secrets, like API keys. Once hackers get their hands on API keys, they can log into the company or customers’ systems appearing as if they are legitimate users, without needing to break into the target company’s systems. 黑客经常将云服务或第三方平台上的企业账户作为目标,以此作为窃取 API 密钥等机密的有效手段。一旦黑客掌握了 API 密钥,他们就可以伪装成合法用户登录公司或客户的系统,而无需强行破解目标公司的系统。
CircleCI, a company that provides development products for software engineers, was hit with a similar cloud data breach in 2023, and similarly asked its customers to rotate “any and all secrets” they stored with the company. More recently, an EU cybersecurity agency said hackers were able to steal 92 gigabytes of data from a compromised AWS account used by the European Commission. The breach affected 29 other EU entities and the data of dozens of internal European Commission clients. 为软件工程师提供开发产品的公司 CircleCI 在 2023 年也遭遇了类似的云数据泄露事件,并同样要求其客户轮换存储在该公司的“所有机密”。最近,欧盟网络安全机构表示,黑客从欧盟委员会使用的一个受损 AWS 账户中窃取了 92 GB 的数据。此次泄露影响了其他 29 个欧盟实体以及数十名欧盟委员会内部客户的数据。