Type
Research
Actors
Pub. date
May 1, 2025
Initial access
Exposed secret
Impact
Resp. disclosure
Observed techniques
Credential harvesting from code repository
Targeted technologies
GitHub
References
https://krebsonsecurity.com/2025/05/xai-dev-leaks-api-key-for-private-spacex-tesla-llms/
Status
Finalized
Last edited
May 19, 2025 10:51 AM
A security lapse at xAI, led to the exposure of a private API key on GitHub by a company employee. The leaked credential, discovered by Philippe Caturegli and validated by GitGuardian, provided access to at least 60 private and unreleased large language models (LLMs), including models fine-tuned on sensitive data from Musk’s other companies—SpaceX, Tesla, and Twitter/X. These models included internal tools like "tweet-rejector" and "grok-spacex-2024-11-04." Despite GitGuardian alerting the xAI employee nearly two months prior, the key remained valid until the issue was escalated directly to xAI’s security team.