Overview
Severity: CRITICAL | Affected: Cognition Labs | Category: breach
Cognition Labs, the company behind the AI software engineer 'Devin', has announced a significant security breach that occurred in late January 2025. According to their official statement, unauthorized actors exploited a zero-day vulnerability in a third-party data orchestration library used within their cloud infrastructure. The breach resulted in access to private source code repositories, project data, and API keys for an estimated 15% of Devin's user base. The company's incident response team has since patched the vulnerability and is working with cybersecurity firms to investigate the full scope of the exfiltration. Cognition Labs is notifying all affected users and has reset credentials for its entire platform as a precautionary measure. This incident highlights the critical importance of supply chain security for AI-powered development tools, as even a single vulnerable dependency can lead to widespread data compromise.