DOGE staffer with access to Americans’ personal data leaked private xAI API key
A significant cybersecurity incident has come to light, involving a Special Government Employee (SGE) with privileged access to the personal data of millions of Americans. The individual reportedly exposed a private API key for Elon Musk’s artificial intelligence venture, xAI, raising serious concerns about government data handling and the security of sensitive information.
Independent security journalist Brian Krebs, through his publication KrebsOnSecurity, detailed that Marko Elez, a staffer associated with the U.S. government’s Digital Opportunity & Governance Ecosystem (DOGE), recently published code to his GitHub account that inadvertently contained the critical private key. Elez’s role has reportedly involved working on sensitive systems for key federal agencies, including the U.S. Treasury, the Social Security Administration, and Homeland Security, granting him access to a vast repository of private citizen data.
The leaked API key provided unauthorized access to a multitude of xAI’s advanced models, including the widely recognized Grok chatbot. This exposure means that anyone with the leaked key could potentially interact with or leverage these AI capabilities, though the direct impact on American citizens’ data through this specific xAI key is still being assessed, the precedent set is alarming.
The vulnerability was brought to Elez’s attention by Philippe Caturegli, founder of the consultancy firm Seralys. While Elez promptly removed the sensitive key from his GitHub repository upon notification, a critical lapse remains: the API key itself was not revoked. This failure to invalidate the key means that unauthorized access to xAI models, including Grok, could potentially persist for anyone who obtained the key before its removal from GitHub.
Caturegli underscored the gravity of the situation in a statement to KrebsOnSecurity, emphasizing the broader implications for data security: “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors.” This incident highlights the imperative for stringent security protocols and continuous oversight, especially for individuals entrusted with access to critical government systems and vast amounts of personal data.
