DOGE employee accidentally leaks xAI API key exposing 52 private AI models

A 25-year-old federal government employee accidentally leaked a sensitive xAI API key to GitHub, potentially exposing access to 52 private large language models including Grok-4. The breach raises serious concerns about data security and national security, as the employee had high-level clearance and access to sensitive databases used by agencies like the Department of Justice, Homeland Security, and the Social Security Administration.

What happened: Marko Elez, a software developer with the Department of Government Efficiency (DOGE), accidentally uploaded xAI credentials to GitHub while working on a script titled agent.py.

• The leaked key granted access to at least 52 private large language models from xAI, including the latest version of Grok (grok-4-0709), a GPT-4-class model powering some of Musk’s most advanced AI services.
• The exposed credentials remained active for a concerning period of time, and researchers were able to confirm the key’s validity before the repository was taken down.
• According to reports, xAI has not officially revoked the leaked API key as of the time of writing, making it a continuing security concern.

Why this matters: The incident highlights dangerous gaps in AI security protocols within government systems and the blurred lines between public and private AI development.

• If the xAI credentials were abused before being revoked, it could open the door to misuse of powerful language models, from scraping proprietary data to impersonating internal tools.
• The most recent Grok models are used not only for public-facing services like X (formerly Twitter) but also within Musk’s federal contracts, potentially creating an attack surface across both commercial and governmental systems.
• This follows a string of DOGE-related security lapses and adds to growing criticism over how the agency manages internal safeguards.

The bigger picture: This breach exposes systemic issues with how powerful AI tools are being handled by government insiders.

• Philippe Caturegli, CTO at cybersecurity firm Seralys, told TechRadar: “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors.”
• Elez has been involved in previous DOGE controversies, including inappropriate social media behavior and apparent disregard for cybersecurity protocols.
• Government officials and watchdogs are calling for stricter credential management policies and better oversight of tech collaborations involving high-stakes AI infrastructure.

What’s next: The incident underscores the urgent need for better security protocols as AI systems become more powerful and integrated into government operations.

• xAI has not issued a statement regarding the breach, and the leaked API key reportedly remains active.
• The breach may not immediately affect average users, but it highlights the very real need for transparency, accountability, and better data hygiene in both public and private AI development sectors.