Subj : DOGE employee leaks priva
To   : All
From : Mike Powell
Date : Thu Jul 17 2025 09:09 am

DOGE employee leaks private xAI API key from sensitive database

Date:
Wed, 16 Jul 2025 18:30:00 +0000

Description:
The staffer had access to millions of Americans personal data.

FULL STORY

A staffer with access to the personal data of millions of Americans has
apparently leaked the API Key to at least four dozen LLMs developed by
artificial intelligence company xAI, including Xs (formerly Twitter) own
chatbot Grok.

Security expert Brian Krebs revealed Marko Elez, an employee at Elon Musks
Department of Government Efficiency, had access to sensitive databases at the
US Social Security Administration, Justice, and Treasury departments as part
of DOGEs work in 'streamlining' the departments to increase efficiency.

Ironically, researchers recently uncovered that a DOGE workers credentials
were exposed by infostealing malware , so DOGEs security record so far is
less than impressive.

A code script was committed to GitHub named agent.py that included a private
application programming interface (API) key for xAI by Elez. This was first
flagged by GitGuardian, a firm which scans GitHub for API secret tokens,
database credentials, and certificates - and alerts affected users.

The exposed API key allowed access to at least 52 different LLMs used by xAI,
with the most recent being an LLM called grok 4-0709, created on July 9, 2025
- according to Chief Hacking Officer at security consultancy Seralys,
Philippe Caturegli.

Caturegli warned KrebsOnSecurity, If a developer cant keep an API key
private, it raises questions about how theyre handling far more sensitive
government information behind closed doors.

The code repository that contains the private API key has since been removed
after Elez was notified by email of the leak, however, the key still works
and has not yet been revoked, so the issue is far from resolved.

This is not the first time internal xAI APIs have been leaked, with LLMs made
for Musks other organisations, like SpaceX, Tesla, and Twitter/X exposed
earlier in 2025, Krebs confirmed .

One leak is a mistake, Caturegli said, But when the same type of sensitive
key gets exposed again and again, its not just bad luck, its a sign of deeper
negligence and a broken security culture.

======================================================================
Link to news story:
https://www.techradar.com/pro/security/doge-employee-with-sensitive-database-a
ccess-leaks-private-xai-api-key

$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.