DOGE Staffer Leaks xAI's Private API Key, Raising Concerns Over Government Data Security

DOGE staffer with access to Americans' personal data leaked private xAI API key

A DOGE staffer with access to the private information on millions of Americans held by the U.S. government reportedly exposed a private API key used for interacting with Elon Musk's xAI chatbot. Independent security journalist Brian Krebs reports that Marko Elez, a special government employee who in recent months has worked on sensitive systems at the U.S. Treasury, the Social Security Administration, and Homeland Security, recently published code to his GitHub containing the private key. The key allowed access to dozens of models developed by xAI, including Grok. Philippe Caturegli, founder of consultancy firm Seralys, alerted Elez to the leak earlier this week. Elez removed the key from his GitHub but the key itself was not revoked, allowing continued access to the AI models. "If a developer can't keep an API key private, it raises questions about how they're handling far more sensitive government information behind closed doors," Caturegli told KrebsOnSecurity.

A leaked xAI security key could put your data at risk -- here's what happened

A federal government employee has reportedly leaked a sensitive API key linked to Elon Musk's xAI platform -- and it could have serious implications for both national security and the future of AI development. According to a report from TechRadar, Marko Elez, a 25-year-old software developer with the Department of Government Efficiency (DOGE), accidentally uploaded xAI credentials to GitHub while working on a script titled agent.py. That key granted access to at least 52 private large language models from xAI, including the latest version of Grok (grok‑4‑0709), a GPT-4-class model powering some of Musk's most advanced AI services. The exposed credentials remained active for a concerning period of time, raising major questions about access control, data security, and the growing use of AI across U.S. government systems. Elez had high-level clearance and access to sensitive databases used by agencies like the Department of Justice, Homeland Security and the Social Security Administration. If the xAI credentials were abused before being revoked, it could open the door to misuse of powerful language models, from scraping proprietary data to impersonating internal tools. This incident follows a string of DOGE-related security lapses and adds to a growing chorus of criticism over how the agency; formed under Elon Musk's influence to improve government efficiency, manages internal safeguards. The leaked key was embedded in a GitHub repository owned by Elez and exposed publicly. It provided backend access to xAI's model suite, including Grok-4, without any apparent usage restrictions. Researchers who discovered the leak were able to confirm its validity before the repository was taken down, but not before it could have been scraped by others. The most recent Grok models are used not only for public-facing services like X (formerly Twitter) but also within Musk's federal contracts. This means the API leak may have inadvertently created a potential attack surface across both commercial and governmental systems. This is a warning sign that AI tools with enormous power are being handled casually, even those held by government insiders. Philippe Caturegli, CTO at cybersecurity firm Seralys, told TechRadar: "If a developer can't keep an API key private, it raises questions about how they're handling far more sensitive government information behind closed doors." Elez has been involved in previous DOGE controversies, including inappropriate social media behavior and apparent disregard for cybersecurity protocols. At the time of writing, xAI has not issued a statement, and the leaked API key has not been officially revoked, according to reports. So as of now, xAI hasn't disabled that key, making it a continuing security concern. Meanwhile, government officials and watchdogs are calling for stricter credential management policies and better oversight of tech collaborations involving high-stakes AI infrastructure. While this breach may not immediately affect the average user, it highlights a broader issue: the increasingly blurred lines between public and private AI development, and the very real need for transparency, accountability, and better data hygiene in both sectors. For now, the key takeaway is this: as AI systems become more powerful, the humans behind them must be even more careful. As we are already seeing, one careless upload could unlock a world of risk. Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.

DOGE staffer reportedly published secret xAI key to dozens of AI models

Marko Elez keeps coming up in news headlines and it's never for good reasons. Credit: Andrey Rudakov/Bloomberg via Getty Images Five months after DOGE staffer Marko Elez resigned from the agency over racist social media posts, he's not only back at DOGE, but back in the news for another not-very-positive reason. Cybersecurity journalist Brian Krebs published a report on Monday indicating that, over the weekend, Elez published a private API key to GitHub that would allow users to "directly interact" with some of xAI's (Elon Musk's AI company, for those who haven't been following along) large language models. To be clear, "some" might be understating it, as the total number of LLMs that were made accessible in this leak was at least 52. These LLMs are part of what makes up Grok, the AI chatbot that's integrated directly into X. Yes, Grok is the same one that recently referred to itself as "MechaHitler" just days before entering into a $200 million deal with the U.S. Department of Defense. While the code repository featuring the leaked API key has been removed, the key itself still works for anyone who accessed it, per the Krebs report. While it's not ideal from xAI's perspective for that information to be out in the open like that, the real concern for the general populace here is that Elez exhibited poor operational security habits while simultaneously having access to loads of important information held by the U.S. government. Elez did, indeed, resign from DOGE due to his social media posts back in February, but by the end of March, he was back on the government's payroll and has reportedly become involved with numerous different departments since then. Elon Musk may be on the outs with Donald Trump, but he still continues to have some effect on U.S. government operations, it seems.

DOGE employee leaks private xAI API key from sensitive database

A staffer with access to the personal data of millions of Americans has apparently leaked the API Key to at least four dozen LLMs developed by artificial intelligence company xAI, including X's (formerly Twitter) own chatbot Grok. Security expert Brian Krebs revealed Marko Elez, an employee at Elon Musk's Department of Government Efficiency, had access to sensitive databases at the US Social Security Administration, Justice, and Treasury departments as part of DOGE's work in 'streamlining' the departments to increase efficiency. Ironically, researchers recently uncovered that a DOGE worker's credentials were exposed by infostealing malware, so DOGE's security record so far is less than impressive. A code script was committed to GitHub named 'agent.py' that included a private application programming interface (API) key for xAI by Elez. This was first flagged by GitGuardian, a firm which scans GitHub for API secret tokens, database credentials, and certificates - and alerts affected users. The exposed API key allowed access to at least 52 different LLMs used by xAI, with the most recent being an LLM called 'grok 4-0709', created on July 9, 2025 - according to Chief Hacking Officer at security consultancy Seralys, Philippe Caturegli. Caturegli warned KrebsOnSecurity, "If a developer can't keep an API key private, it raises questions about how they're handling far more sensitive government information behind closed doors." The code repository that contains the private API key has since been removed after Elez was notified by email of the leak, however, the key still works and has not yet been revoked, so the issue is far from resolved. This is not the first time internal xAI APIs have been leaked, with LLMs made for Musk's other organisations, like SpaceX, Tesla, and Twitter/X exposed earlier in 2025, Krebs confirmed. "One leak is a mistake," Caturegli said, "But when the same type of sensitive key gets exposed again and again, it's not just bad luck, it's a sign of deeper negligence and a broken security culture."

An Elon Musk ally gave away the keys to Grok's AI brain

Just months after returning to government service following a controversial resignation, Department of Government Efficiency (DOGE) staffer Marko Elez is back in the spotlight -- this time for exposing a sensitive API key tied to Elon Musk's artificial intelligence company, xAI. On Sunday, Elez published a GitHub repository containing "agent.py," a script that inadvertently included a private key granting access to at least 52 of xAI's large language models (LLMs). Spotted by Krebs on Security, the exposed models, which include the newly created "grok-4-0709," form the backbone of Grok, the AI chatbot integrated into Musk's X platform. The key was flagged by GitGuardian, a company that monitors public repositories for credential leaks. Despite the repository being taken down quickly, the API key remains active, according to security consultant Philippe Caturegli, who first alerted Elez to the exposure. That means anyone who accessed the repository while it was live could still use the key to interface with xAI's models directly -- raising significant concerns about both corporate and government data security. This is the second such leak involving a DOGE employee in recent months. Back in May, another member of DOGE reportedly exposed a private xAI key that offered access to LLMs trained on internal data from Tesla, SpaceX, and X. These repeated lapses point to deeper issues in operational security and highlight the blurry lines between Musk's companies and the government agencies now increasingly relying on his infrastructure. Elez, a 25-year-old with a history of questionable conduct, previously resigned from DOGE after being linked to racist and eugenicist social media posts. Yet he returned to the agency within weeks, aided by lobbying from Vice President J.D. Vance. Since his retrun, Elez has cycled through roles across multiple high-level agencies, including the Social Security Administration, Department of Labor, Department of Homeland Security, and the Department of Justice. He has held access to sensitive databases involving immigration systems, financial records, and national security operations. The latest leak comes at a particularly precarious time: Just days ago, the Department of Defense awarded a contract worth up to $200 million for Grok, despite the chatbot recently generating antisemitic responses and referencing Adolf Hitler. With trust in AI already fraying, the exposure of private keys that unlock critical infrastructure raises the stakes for both corporate accountability and federal oversight. Elez's ability to move freely between government departments -- and now be tied to repeated security lapses involving Musk's AI tools -- underscores the growing entanglement between Silicon Valley and Washington. As DOGE's role expands and xAI's tools increasingly underpin federal systems, questions about vetting, cybersecurity hygiene, and conflict of interest are likely to grow louder. So far, xAI has not revoked the exposed key, and neither DOGE nor Elez has issued a public response. But the larger issue may not be this one leak -- it's the system that allowed it to happen again.