- A security scientist has revealed a worrying API key leak
- The leak is reportedly coming from DODE -Employee Marko Elez
- This is not the first security question derived from DOGE
An employee with access to the personal data of millions of Americans has apparently leaked the API key to at least four dozen LLMs developed by Artificial Intelligence Company Xai, including X’s (formerly Twitter) own chatbot Grok.
Security expert Brian Krebs revealed Marko Elez, an employee of Elon Musk’s Department of Government Efficiency, had access to sensitive databases by the US Social Security Administration, Justice and Finance Ministry as part of Dog’s work to ‘streamline’ departments to increase efficiency.
Ironically, researchers recently revealed that a DOGE worker’s credentials were postponed by infostealing malware, so that Dog’s security record so far is less than impressive.
GROK EMPLOYED
A code script was obliged to github named ‘agent.py’ which included a private application programming interface (API) Key to Xai by Elez. This was first marked by Gitguardian, a company that scans GitHub for API Secret Tokens, Database -Legitimation Information and Certificates – and warnings affected users.
The exposed API key gave access to at least 52 different LLMs used by XAI, the latest one LLM called ‘BROK 4-0709’, created on July 9, 2025 -according to Chief Hacking Officer at Security Consultancy Seralys, Philippe Caturgli.
Caturgli warned crayfish curity, “If a developer can’t keep an API key privately, it raises the question of how they handle far more sensitive government information behind closed doors.”
The code storage site, which contains the private API key, has since been removed after Elez was notified via E email of the leak, but the key still works and has not yet been revoked, so the problem is far from resolved.
This is not the first time internal Xai APIs have been leaked, with LLMs made for Musk’s other organizations, such as SpaceX, Tesla and Twitter/X, which were postponed earlier in 2025, confirmed Krebs.
“A leak is a mistake,” Caturegli said, “but when the same type of sensitive key is postponed over and over, it’s not just impolse, it’s a sign of deeper negligence and a broken security culture.”
