Overview
Severity: CRITICAL | Affected: Cognition AI | Category: breach
Cognition AI, the firm behind the popular autonomous coding agent Devin, has confirmed a critical security breach that resulted in the exfiltration of gigabytes of sensitive internal data. The breach, which occurred in early March 2025, was reportedly carried out by a sophisticated threat actor who gained access via a compromised developer account. The stolen data includes significant portions of the source code for their core reasoning models, proprietary training datasets, and a cache of customer prompts and API keys from enterprise clients. Security analysts are concerned that the leaked source code could enable competitors to replicate their technology or allow malicious actors to discover and exploit new vulnerabilities. The exposure of customer prompts also poses a significant privacy risk and could reveal sensitive corporate strategies. Cognition AI is currently working with cybersecurity experts to investigate the full extent of the incident and has started notifying affected customers.