DOGE employee leaks private xAI API key from sensitive database

News
By published

The API key allowed access to four dozen LLMs, including Grok

Grok on a smartphone
(Image credit: Shutterstock)
  • A security researcher has uncovered a worrying API key leak
  • The leak reportedly comes from DOGE staffer Marko Elez
  • This is not the first security issue originating from DOGE

A staffer with access to the personal data of millions of Americans has apparently leaked the API Key to at least four dozen LLMs developed by artificial intelligence company xAI, including X’s (formerly Twitter) own chatbot Grok.

Security expert Brian Krebs revealed Marko Elez, an employee at Elon Musk’s Department of Government Efficiency, had access to sensitive databases at the US Social Security Administration, Justice, and Treasury departments as part of DOGE’s work in 'streamlining' the departments to increase efficiency.

Ironically, researchers recently uncovered that a DOGE worker’s credentials were exposed by infostealing malware, so DOGE’s security record so far is less than impressive.

Save up to 68% on identity theft protection for TechRadar readers!

Save up to 68% on identity theft protection for TechRadar readers!

TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.

Preferred partner (What does this mean?)

View Deal

Grok exposed

A code script was committed to GitHub named ‘agent.py’ that included a private application programming interface (API) key for xAI by Elez. This was first flagged by GitGuardian, a firm which scans GitHub for API secret tokens, database credentials, and certificates - and alerts affected users.

The exposed API key allowed access to at least 52 different LLMs used by xAI, with the most recent being an LLM called ‘grok 4-0709’, created on July 9, 2025 - according to Chief Hacking Officer at security consultancy Seralys, Philippe Caturegli.

Caturegli warned KrebsOnSecurity, “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors.”

The code repository that contains the private API key has since been removed after Elez was notified by email of the leak, however, the key still works and has not yet been revoked, so the issue is far from resolved.

This is not the first time internal xAI APIs have been leaked, with LLMs made for Musk’s other organisations, like SpaceX, Tesla, and Twitter/X exposed earlier in 2025, Krebs confirmed.

“One leak is a mistake,” Caturegli said, “But when the same type of sensitive key gets exposed again and again, it’s not just bad luck, it’s a sign of deeper negligence and a broken security culture.”

You might also like

TOPICS
Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.