DOGE Contractor With Access to Sensitive American Data Exposed Private xAI Credentials on GitHub
API Key Leak Raises Alarms
A DOGE staffer with privileged access to U.S. government systems inadvertently leaked a private xAI API key, potentially granting unauthorized access to dozens of proprietary AI models, including Grok, developed by Elon Musk’s xAI.
- The leak was discovered in code posted publicly on GitHub.
- The exposed credentials remained active even after removal from the repository.
The staffer, Marko Elez, has served in recent months as a special government employee, reportedly working on high-sensitivity platforms across the U.S. Treasury, Social Security Administration, and Department of Homeland Security.
- These agencies manage millions of Americans’ personal and financial data.
- Elez’s role placed him in direct proximity to critical systems.
Discovery and Response
The breach was first identified by Philippe Caturegli, founder of security firm Seralys, who quickly notified Elez earlier this week.
- Elez took down the GitHub code after being contacted.
- However, the xAI API key was not revoked, leaving systems vulnerable to further misuse.
Security journalist Brian Krebs broke the story on KrebsOnSecurity, noting the key’s continued validity as of publication.
- The API key potentially provided unrestricted access to xAI’s internal chatbot models.
- The breach highlights poor credential hygiene and raises broader national security concerns.
Broader Implications
“If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,” said Caturegli.
- Government contractors working with classified or sensitive citizen data are expected to follow stringent security protocols.
- This incident highlights a growing vulnerability in how developers and engineers manage credentials across platforms.
The event also underscores risks in allowing external contractors like DOGE staffers to access federal systems without rigorous oversight and auditing.
- Exposure of such keys can lead to model abuse, data exfiltration, or unauthorized system queries.
- It may also violate terms of use or federal data compliance standards.
Status of xAI and Grok
xAI’s models, including Grok, are among the most closely guarded components of Elon Musk’s AI venture and are integrated with X (formerly Twitter) and other Musk-backed platforms.
- Access to these models is typically limited to licensed clients.
- Unauthorized access via leaked keys poses both commercial and cybersecurity risks.
As of now, xAI has not publicly commented on the breach or whether the leaked key has since been deactivated.
