What happened
Attackers accessed a Braintrust AWS account and exfiltrated org-level AI provider API keys stored for customer use.
2026-05-04
CriticalVendor postBraintrust AWS breach exposes org-level AI provider API keys for all customers — OpenAI, Anthropic, Google credentials at risk
May 2026: Unauthorized access to Braintrust's AWS account exposed org-level AI provider API keys. All customers forced to rotate OpenAI, Anthropic, and Google credentials.
BraintrustCredential exposureThird-party platform breach exposing downstream AI provider credentialsBraintrust AWS account storing org-level AI provider API keys for all customers
Why it matters
All Braintrust customers required to immediately rotate AI provider credentials; confirmed suspicious usage spikes (unauthorized AI API calls) for at least four customers.
Missing authorization check
Each AI provider API call should require a signed authority receipt bound to the originating session and intended action — key possession alone should not be sufficient authorization.
Would PP block it?
If downstream agent actions using the stolen Braintrust credentials were PP-gated, the attacker would have stolen keys that still cannot authorize high-impact actions without a valid receipt from an authority channel. PP does not prevent the AWS breach itself or the credential exfiltration — it limits what the stolen credentials can do once out.
Incident analysis
Timeline and technical read
Timeline
2026-05-04
Braintrust detects suspicious activity; confirms unauthorized access to AWS account storing org-level AI provider API keys.
2026-05-05
Braintrust emails all org admins with IOCs and key rotation instructions. Incident response experts engaged.
2026-05-05
Four customers report suspicious AI provider usage spikes consistent with active key misuse.
2026-05-19
Paubox publishes detailed incident timeline; SecurityBoulevard covers implications for agentic authentication.
Technical breakdown
- Braintrust stores org-level AI provider API keys (OpenAI, Anthropic, Google) centrally in AWS to enable platform-level model access for all customers.
- A single AWS account compromise becomes a multi-tenant credential breach — one attack surface exposes every customer's AI provider access.
- Stolen API keys carry no action-level authorization context — the attacker can call any model as any customer with no approval gate.
- Suspicious usage spikes confirm the keys were actively used before rotation, meaning real AI API costs and potential data exposure.
- This is the agentic-era equivalent of a password manager breach: one platform compromise yields credentials for every downstream system.
Authorization boundary
Where the authorization boundary should have been
This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
- If enforced at
- Per-action API call authorization gate / session-bound receipt
- Still needs
- PP does not protect credentials stored in third-party platforms; enforcement applies at the point of action execution, not credential storage
- Receipt required for
- AI provider API calls made with platform-stored credentials, especially production model access
PP's authority receipts break the 'stolen key = full access' model for actions behind PP enforcement gates. However, Braintrust's own evaluation/observability workflows are not PP-gated, so PP does not prevent the initial credential theft.
Start small
Put the relevant gate at this action boundary.
This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.