Marko Elez DOGE API Key Leak Exposes Access to 52 LLMs, Sparks xAI Security Concerns

• A government employee with ties to DOGE was the source of another API key data breach.
• Marko Elez leaked a private API key to xAI, reportedly providing unrestricted access to 52 LLMs.
• The compromise resulted in the unintended exposure of xAI access credentials.

A significant operational security breach emerged recently when Marko Elez, a government employee with ties to Elon Musk's Department of Government Efficiency (DOGE), inadvertently exposed a private API key to xAI’s powerful suite of tools. 

The leaked key reportedly provided unrestricted access to 52 Large Language Models (LLMs), raising alarms about how sensitive platforms are protected and managed within high-stakes environments.  

The breach occurred on July 13, 2025, when Elez uploaded a file to GitHub containing a script named “agent.py.” Embedded within this code was the private API key associated with direct access to xAI’s infrastructure. 

GitGuardian, a firm specializing in discovering and remediating exposed secrets in public repositories, flagged the upload. Although the repository was promptly deleted after notification, security experts confirmed the key remained functional at the time of notification.  

Among the 52 LLMs accessible via the API key was xAI’s Grok-4-0709, the latest generative chatbot tailored for advanced enterprise configurations. 

Addressing the risk, Eric Schwake, Director of Cybersecurity Strategy at Salt Security, shared, “Without full visibility and governance at the API layer, they can silently introduce serious risks like data exposure or fraud.”

Devin Ertel, CISO at Menlo Security, noted, “Attacks like this show why defenders need AI-driven detection to match that level of sophistication—especially in environments relying on zero-trust models.”

This unintentional leak underscored how even sophisticated systems designed to remain secure can be leveraged by threat actors if basic security protocols are overlooked. The access it granted to xAI—a platform recently embedded in various tools to support U.S. federal agencies—could theoretically lead to exploitation of these systems. 

Philippe Caturegli, a prominent cybersecurity expert at Seralys, raised concerns about this recurring pattern, noting that Elez’s case is not the first instance of exposed API keys tied to Musk’s companies.  

“If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,” Caturegli said.

The risks extend beyond xAI itself. Any misuse of the LLMs could result in data exfiltration, the generation of malicious content, or the exposure of proprietary algorithms.  

“AI Appreciation Day is a good reminder that the same technology driving business transformation is also transforming fraud,” said Alex Quilici, CEO of YouMail. “Protecting consumers now means anticipating how these tools will be misused next—and building defenses that adapt just as fast.”

Marko Elez’s API leak is a reminder for organizations relying on next-generation tools like xAI to recognize the significance of treating API keys as critical assets, ensuring they never leave secure environments or become accessible in unsecured locations.