Major xAI Security Lapse: DOGE Employee Leaks Confidential API Key for 50+ AI Models

Over the weekend, an employee of the Department of Government Efficiency (DOGE), an agency under Elon Musk’s purview, inadvertently exposed a confidential key that granted direct access to over 50 of xAI’s language models. The 25-year-old staffer, Marko Elez, uploaded a file to GitHub, unaware that the private API key had been embedded within the agent.py script. The incident was disclosed by GitGuardian.

According to Philippe Caturegli, a representative of cybersecurity firm Seralys, the leaked key allowed interaction with 52 large language models, including the latest “grok-4-0709,” developed just four days prior to the breach—on July 9, 2025. All of these models power the generative chatbot Grok, which is integrated into X and developed by xAI. At the time of writing, the chatbot runs on Grok-3, released in February.

What makes the breach particularly alarming is its proximity to a major $200 million contract signed earlier this month between xAI and the U.S. Department of Defense for the use of Grok. Notably, this agreement was finalized mere days after the chatbot had begun broadcasting antisemitic remarks and referencing Adolf Hitler.

Upon discovering the leak, Caturegli personally contacted Elez via email. Although the repository was swiftly taken down, the compromised key, disturbingly, remained active. Caturegli questioned the reliability of someone entrusted with access to key government infrastructure who fails to practice basic digital hygiene. The recurrence of such leaks points to deep-rooted systemic flaws in managing sensitive data.

Marko Elez’s professional history has long been a subject of concern. Prior to his role at DOGE, he held positions in other Elon Musk ventures. His first assignment at DOGE was within the Treasury Department, where he was already cited for violating security protocols by transmitting unencrypted personal data. Following a Wall Street Journal expose linking him to racist and eugenicist content on social media, Elez resigned. Nonetheless, with the backing of Vice President J.D. Vance and approval from Donald Trump, he was reinstated at DOGE.

Since then, Elez’s access to government databases has only broadened. In February 2025, he was spotted in the Social Services Department; in March, at the Department of Labor. By April, The New York Times confirmed his involvement with Border Patrol, Immigration and Customs Enforcement, and later, the Department of Homeland Security. The Washington Post added that Elez had access to immigration-related judicial decision systems within the Department of Justice.

The API key leak is not an isolated lapse. In May, another DOGE employee exposed a similar confidential key tied to xAI’s internal models, which were used to process sensitive data from SpaceX, Tesla, and X. Experts argue that the frequency of such incidents reflects a deeply entrenched culture of negligence regarding digital security.