Overview
Severity: CRITICAL | Affected: Cognition Labs | Category: breach
AI startup Cognition Labs, creators of the Devin AI software engineer, announced a significant security breach that occurred in late February 2025. Attackers exploited a zero-day vulnerability in a third-party data processing library used in their training pipeline. The breach resulted in the exfiltration of several terabytes of data, including subsets of proprietary source code used for training, anonymized user interaction logs, and sensitive fine-tuning datasets. While the company stated that direct personal identifiable information (PII) of end-users was not compromised, the leaked data could provide significant insights into their model architecture and training methods. The incident highlights the growing threat of supply chain attacks targeting the AI development lifecycle, where vulnerabilities in dependent tools can lead to catastrophic breaches of intellectual property and user data. Cognition Labs has since patched the vulnerability and is working with cybersecurity firms to investigate the full scope of the incident.