DOGE staffer with access to Americans' personal data leaked private xAI API key:
A DOGE staffer with access to the private information on millions of Americans held by the U.S. government reportedly exposed a private API key used for interacting with Elon Musk's xAI chatbot.
Independent security journalist Brian Krebs reports that Marko Elez, a special government employee who in recent months has worked on sensitive systems at the U.S. Treasury, the Social Security Administration, and Homeland Security, recently published code to his GitHub containing the private key. The key allowed access to dozens of models developed by xAI, including Grok.
Philippe Caturegli, founder of consultancy firm Seralys, alerted Elez to the leak earlier this week. Elez removed the key from his GitHub but the key itself was not revoked, allowing continued access to the AI models.
"If a developer can't keep an API key private, it raises questions about how they're handling far more sensitive government information behind closed doors," Caturegli told KrebsOnSecurity.
MAGA this is your best and brightest.
That's the scary part, that the org they're auditing is certainly worse...
Really? How sure of that are you?
The org they are auditing almost definitely had:
1. An average experience level way way higher than DOGE. A team with lots of people with 10+ years of experience, on average, is going to be more capable than a team containing a bunch of kids right out of college.
2. Education related to the job they were doing. As opposed to guys with BAs in unrelated fields. Many of them have master's degrees and some have doctorates.
3. Successful completion of the civil service exam for the agency they work for. As opposed to a standard of "Elon likes them or thinks they are smart", which is a significantly less scientific standard.
I get that you like Elon, and/or Donald, and want to see those policies implemented. But your idea that all government agencies are staffed by drooling idiots doesn't match reality, at all. Sure, in a workforce of tens of thousands of people there are going to be some bad ones, but also by sheer numbers there will be smart people in there too. Meanwhile, DOGE made a bunch of stupid mistakes simply because they didn't understand what they were looking at and didn't bother to find out.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
Has the GOD DAMNED CORPORATE SPY been arrested yet for unauthorized access to a protected computer? Not a word in TFA
It's for api access. Google lets me have api access, why is it wrong for what ever bot he's working on?
This is like getting angry that a worker let a customer use the key for the toilet.
This is like getting angry that a worker let a customer use the key for the toilet.
No, it's like letting Epstien have the key to the little girl's room. Or his friend Donald Trump.
At least they arent trans perverts AMIRITE?
A DOGE "developer"? So, some 15 or 16 year old future Incel?
The monster Musk created came back to bite him.
Do you really think Musk will suffer one tiny bit for this?
It hurts his bottom line.
Damaged credibility and all that.
Anything that hurts Musk even a little bit makes my day better.
We aren't told any details about this private key, which suggests to me they are omitting them to increase the FUD, along with identifying this individual as a DOGE staffer.
What's the plausible, benign context for this? This is a private API key for a personal account that he's using for some throwaway personal hobby projects. So he threw together some junk and pushed it to Github and accidentally included the key. He realized and removed the key without revoking it, because he couldn't be arsed for a personal hobby project.
Omitting such a detail would make this sound worse than it actually is, so I'm inclined to assume that's the most likely scenario.
Marko Elez isn't just any DOGE staffer. He's a Nazi who resigned after numerous racist posts he authored were discovered [npr.org], then was hired back because JD Vance apparently really wanted this Nazi to have access to Americans' personal data [nbcnews.com]. And yes, he really is a Nazi and has openly supported eugenics.
As for what is actually going on here, this is his Github account: https://github.com/markoelez [github.com]. The relevant project seems to be AIENG, which he describes as a "Terminal-based, model-agnostic AI coding assistant, inspired by Claude Code".
It may be a personal project that he's doing for a hobby. It's not exactly clear what he intends to use AIENG for, whether the coding assistant is just for his personal projects or if he's using it professionally. But here's the problem: not revoking the API key is, at best, incredibly lazy. When someone has access to vast amounts of highly sensitive personal data, even being lazy about security is a huge problem.
He's not just any DOGE staffer. This is someone who apparently had ability to edit code in Treasury Department systems. It's not clear what changes he did or did not make, but apparently it was a mistake that he had access to modify code. So now we have two mistakes that are security lapses. Apparently he's more recently received access to systems at the Department of Labor and also Health and Human Services [fortune.com]. With the large amounts of sensitive data, why would it be acceptable for someone who even just has a flippant attitude about security to have access to those systems? It's not acceptable for someone who's lazy about security to have that level of access to government computer systems with large amounts of Americans' personal data.
I reject the excuses you're making for Mr. Elez.
I see nothing in your links to corroborate your "yes, he really is a Nazi" claim. Racism against Indians is not a defining characteristic of Nazism. I find your ad hominem here to be disingenuous in any case, because his being a Nazi (even if I accept it to be true, as I currently consider it to be misinformation) has nothing to do with his professional ability to handle sensitive data.
First, you wrote:
As I noted, Marko Elez was in the news months ago because of his prominent role in DOGE, his offensive posts on social media, and the vice president's role in demanding that he be reinstated with DOGE. This isn't just someone with a Github repository who just happens to be some random DOGE staffer. He's notable because of his high-level access that's been widely reported. I'll give you the benefit of the doubt and assume you forgot who Mr. Elez was, even though you didn't show the same courtesy toward the authors of the reporting.
Now, you wrote:
Here's the problem: Mr. Elez has access to a very large amount of sensitive and private data that spans the entire population. Mr. Elez has shown strong antipathy toward various segments of the American people. His prior rhetoric [theregister.com] is consistent with people who are commonly described as neo-Nazis. When Mr. Elez receives high-level access to government databases, it means supposed to be a good steward of that data. However, his social media posts raise serious questions about whether he can be trusted to use his access ethically.
Would you want someone who says they hate your race and ethnicity to have access to view and likely manipulate databases with your private and highly sensitive data? That's putting the fox in charge of the chicken coop, and that's exactly why it matters. I bet you wouldn't like that scenario very much. You'd be right to have serious concerns. There's a massive conflict of interest when someone expresses hate for certain groups of people, then he wields considerable power over those people because of his access to their data.
At best, Mr. Elez has demonstrated a very cavalier attitude about security, and that's if we accept your generous assertion that "he couldn't be arsed for a personal hobby project". Looking through the Github repository, that's possible, but it's also unacceptable for someone who has his level of access to sensitive data. So we have two strikes against him, one that he's openly hostile toward some people whose personal data he has access to, and two that he seems to be very lazy about security.
People need to be able to trust their government. Mr. Elez has demonstrated multiple reasons that he should not be trusted.
Whether anyone likes it or not, mistakes happen. This is on xai now for not revoking the key. Not the dev who messed up, fixed it and obviously alerted them.
Catuegli sounds like an ass with a agenda.
Surely his code has always been pristine