A Department of Government Efficiency (DOGE) staffer who handles sensitive government systems accidentally exposed a private API key for Elon Musk’s xAI chatbot, raising concerns about data security practices within the department.
Marko Elez, a special government employee who has worked on sensitive systems at the U.S. Treasury, Social Security Administration, and Homeland Security in recent months, published the private key in code on his public GitHub account, according to security journalist Brian Krebs.
The exposed key provided access to dozens of AI models developed by xAI, including the company’s Grok chatbot. The leak is particularly concerning given Elez’s access to private information on millions of Americans through his government work.
Philippe Caturegli, founder of consultancy firm Seralys, discovered the security breach and alerted Elez earlier this week. While Elez removed the key from his GitHub repository, the key itself was not revoked, meaning it could still be used to access the AI models.
“If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,” Caturegli told KrebsOnSecurity.
The incident highlights potential security vulnerabilities within DOGE, the efficiency department established by the Trump administration and co-led by Elon Musk. The department has been tasked with streamlining government operations and reducing waste.
API keys are authentication tokens that allow access to software services. When exposed publicly, they can be misused by unauthorized parties to access systems or rack up charges on the account holder’s behalf.
The breach raises broader questions about cybersecurity protocols for government contractors who handle both sensitive personal data and private sector technologies.
Neither DOGE nor xAI immediately responded to requests for comment about the security incident.
