Overview
Severity: CRITICAL | Affected: Chroma AI | Category: breach
Emerging AI leader Chroma AI has confirmed a significant security breach that occurred in early February 2025. Attackers exploited a zero-day vulnerability in a third-party data processing library used within Chroma's MLOps pipeline, gaining access to critical infrastructure. The breach resulted in the exfiltration of an estimated 50 terabytes of data, including proprietary curated datasets used for training their flagship 'Spectrum-5' model, pre-release model weights, and millions of enterprise user prompts. The exposed user data, while anonymized, could potentially be de-anonymized through analysis, posing a severe privacy risk. Chroma AI is working with cybersecurity firms to investigate the incident and has notified affected enterprise customers. The incident highlights the growing threat of supply chain attacks targeting the valuable intellectual property held by AI companies and the sensitive nature of user interaction data.