Wild how one leaked xAI API key opened up access to 52 LLMs, including a brand-new Grok model, and they didn’t revoke it right away.
This shows how careless secret management can scale into a huge breach, especially when the same org handles sensitive data.
Shouldn’t teams building with LLMs have automated checks to catch exposed keys before they hit public repos?
Cthulhu_ · 21m ago
They should, but they're young, naive and rich, a new generation of "move fast and break things", except this time they've been inserted into the government by a regime who doesn't care and/or who may have the intent to just leak the public's information.
sashank_1509 · 12h ago
Jokers, even GitHub auto checks if you push code with a private key.
blibble · 12h ago
I doubt it has an integration with grok
sleazebreeze · 12h ago
Nothing to see here. Move right along. I'm sure one or two or a handful of repeated incidents don't represent a trend or potential for future fuck-ups.
What is DOGE even doing now? Can we get some status reports on what the DOGE employees are doing every week since they're such proponents of radical accountability?
burnt-resistor · 6h ago
Destroying things to justify privatization while stealing every detail about us to increase profits and target opponents. Sure, there are HIPAA, secrecy, and confidentiality violations happening but there's no one left to prosecute the criminals when the criminals are the police, COTUS, SCOTUS, and the unitary executive. The only meaningful distinction remaining is patronage vs. outsider.
icecreamscoop · 9h ago
Officially they are still re-writing the software that runs Social Security. Back in May, they said re-writing >1 millions lines of COBOL would only take a few months.
Unofficially, they are the worst people so they are probably doing the worst things you can imagine.
jauntywundrkind · 7h ago
Wired also had this recent update, on "DOGE 2.0".
> But without flashy leadership, DOGE technologists are now quietly cycling into federal agencies, spending days or weeks building products and cutting contracts before cycling out once again. This is all done with little oversight from the White House or the United States DOGE Service (USDS), which these technologists purportedly represent.
Maybe the US should start another government department for this.
quantified · 12h ago
> “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,”
It raises additional questions. Plenty of questions already unanswered. Seems likely it's been a shitshow.
saalweachter · 12h ago
Like, "why does this nominal government employee have the API key to XAI"/"why is an active X employee playing such a prominent role in the government"?
zdragnar · 12h ago
External tech workers have been a thing since at least the catastrophe that was the original ACA launch. That "tech surge" was definitely full of more experienced people than the "smart kids" we see in DOGE though.
More worrying is that the article points out at time of writing the key was still valid. Why such a high level key was used in an agent script, why it hasn't been rotated (can't be rotated?) and about a dozen other "whys" point to some rather damning practices.
I get that the idea was to avoid the obscene levels of red tape that can be common in government IT, but the pendulum has clearly swung far, far far too far the other way.
relistan · 17m ago
All of this is a mess. But it should never even have been possible for it to fall to a single developer to screw up and commit a key like that.
If there were anything like proper processes in place, controls would have made that very difficult.
Then there are the weird issues about why obvious close ties to xAI here....
JumpCrisscross · 11h ago
> It raises additional questions
Ones we should be ready to prosecute with official resources come ‘26 and ‘28.
In the meantime, I wouldn’t let him into my country. But the EU will be the EU.
optimalsolver · 12h ago
This was the "normalize Indian-hate" guy.
phendrenad2 · 9h ago
Very interesting that he had to resign from DOGE over this, yet xAI seemingly welcomed him.
UncleMeat · 2h ago
He was rehired.
The trump administration very briefly believed that publicly saying "I was racist before it was cool" and "normalize Indian hate" in public just months before being hired was crossing a line. Then they realized that no it actually wasn't and that their base likes people like this and rehired him.
I do wonder what JD Vance's kids think about situations like this.
preisschild · 5h ago
i dont think he had to, he voluntarily did after public pressure. And then JD Vance tried to get him back
lbrito · 12h ago
These reports seem increasingly irrelevant. There are surely many people that care and are outraged, but that's about it. Tomorrow the news cycle will have something else, and the 20 year olds scrapping their pants at doge will be yesterday's news.
esseph · 12h ago
XAI key is potentially root into X (social media), and Tesla via grok, yes?
As someone who is not very acquainted with blackhat or infosec, what is the priority list to do when you get an API key like this? Exfiltration? Access escalation? Presumably the hole gets closed so what do you do with that time?
glaucon · 11h ago
> DoD is also contracting for $200 million for grok
Somewhat to one side but when up to USD800 million is being spent (Grok, is not the only AI shaped snout at the trough) it's depressing to see the vagueness of the supposed uses [1] (in a five line paragraph this is the most specific description of why that need to spend the money ... "to support our warfighters and maintain strategic advantage over our adversaries")
There are a lot of classified contracts, services, etc.
lbrito · 11h ago
That's kind of my point. It is bad And likely no one will be held accountable for it.
epicwynn · 10h ago
Just another example showing that power and persistence does not equal competence.
fennec-posix · 11h ago
Once, I can understand, but twice? come on... And the keys were still valid hours later (according to the article)
ada1981 · 11h ago
I regularly expose my AI api keys in my weekly zoom meetings for our AI Playground :)
So far no one has taken me up on them.
Feel free to join as a VIP anytime!
nothingburger25 · 3h ago
Nooo! you need to use the dev, staging and prod keyvaults, and you need to save the keyvault access key in the environment variable!!!
says the one who never gets anything done
Cthulhu_ · 18m ago
Which is more important: people's data, or "getting things done"? What did this guy "get done" by leaking private keys, or in general anyway?
davidguetta · 3h ago
Hi Marko
nothingburger25 · 3h ago
show me your last repo, we want to see how much nothing it does
davidguetta · 2h ago
I cant, as a professional i dont leak private infos ><
smcl · 2h ago
absolutely cooked 'em
nothingburger25 · 3h ago
I'd say so what.
I hardcode many API keys to pull data and so does many people, and worst case scenario you need to regenerate it if it leaks.
Not all access keys are the same.
Cthulhu_ · 17m ago
"if it leaks" -> "if you detect or get notified that it leaks and you're able to catch it before the credit card linked to your AWS account is drained by a thousand crypto miners"
saubeidl · 2h ago
Did you make an account just to justify questionable data security practices by the people fucking around the social security system without any oversight?
This shows how careless secret management can scale into a huge breach, especially when the same org handles sensitive data.
Shouldn’t teams building with LLMs have automated checks to catch exposed keys before they hit public repos?
What is DOGE even doing now? Can we get some status reports on what the DOGE employees are doing every week since they're such proponents of radical accountability?
https://www.wired.com/story/doge-rebuild-social-security-adm...
Unofficially, they are the worst people so they are probably doing the worst things you can imagine.
> But without flashy leadership, DOGE technologists are now quietly cycling into federal agencies, spending days or weeks building products and cutting contracts before cycling out once again. This is all done with little oversight from the White House or the United States DOGE Service (USDS), which these technologists purportedly represent.
Forcing the NRC to rubber stamp any requests that come in front of it, apparently[0].
[0] https://www.politico.com/news/2025/07/14/doge-to-regulator-r...
It raises additional questions. Plenty of questions already unanswered. Seems likely it's been a shitshow.
More worrying is that the article points out at time of writing the key was still valid. Why such a high level key was used in an agent script, why it hasn't been rotated (can't be rotated?) and about a dozen other "whys" point to some rather damning practices.
I get that the idea was to avoid the obscene levels of red tape that can be common in government IT, but the pendulum has clearly swung far, far far too far the other way.
If there were anything like proper processes in place, controls would have made that very difficult.
Then there are the weird issues about why obvious close ties to xAI here....
Ones we should be ready to prosecute with official resources come ‘26 and ‘28.
In the meantime, I wouldn’t let him into my country. But the EU will be the EU.
The trump administration very briefly believed that publicly saying "I was racist before it was cool" and "normalize Indian hate" in public just months before being hired was crossing a line. Then they realized that no it actually wasn't and that their base likes people like this and rehired him.
I do wonder what JD Vance's kids think about situations like this.
If so, sounds potentially life threatening.
NTSB might wanna look into that.
Edit: DoD is also contracting for $200 million for grok. Yeah, this is bad. https://www.washingtonpost.com/technology/2025/07/14/elon-mu...
Somewhat to one side but when up to USD800 million is being spent (Grok, is not the only AI shaped snout at the trough) it's depressing to see the vagueness of the supposed uses [1] (in a five line paragraph this is the most specific description of why that need to spend the money ... "to support our warfighters and maintain strategic advantage over our adversaries")
[1] https://archive.ph/p1ZXR#selection-719.61-719.141
So far no one has taken me up on them.
Feel free to join as a VIP anytime!
says the one who never gets anything done