Overview
Severity: CRITICAL | Affected: Chroma AI | Category: breach
Emerging AI startup Chroma AI disclosed a critical security breach that occurred in late January. Attackers exploited a vulnerability in a third-party CI/CD pipeline tool to gain access to the company's core infrastructure. The breach resulted in the exfiltration of sensitive user data, including millions of user prompts and personally identifiable information (PII) used for account registration. More significantly, the threat actors successfully stole the proprietary model weights for 'Chroma-Next', the company's upcoming flagship generative model, which was still in pre-release testing. The incident highlights the growing threat of supply chain attacks targeting the AI industry, where the theft of intellectual property like model weights can be as damaging as the loss of customer data. Chroma AI has since patched the vulnerability, notified affected users, and is collaborating with federal law enforcement agencies. The company's valuation is expected to be significantly impacted by the intellectual property loss.