Overview
Severity: CRITICAL | Affected: Cognition Labs | Category: incident
Cognition Labs, the creator of the AI software engineer Devin, disclosed a security incident where a misconfigured cloud storage bucket exposed sensitive customer data, including API keys for third-party services like GitHub, AWS, and Stripe. The exposure was discovered by a security researcher who reported it through the company's bug bounty program. The incident highlights the risks associated with autonomous AI agents handling sensitive credentials. The exposed data was publicly accessible for approximately 72 hours before the misconfiguration was remediated. Cognition Labs has since rotated all potentially exposed keys, notified affected customers, and implemented stricter access controls and automated scanning for its cloud infrastructure to prevent future occurrences.