Musk Admits Grok Build Leaked User Code, Promises to Wipe All Data
Musk Admits Grok Build Leaked User Code, Promises to Wipe All Data
Elon Musk has personally acknowledged a serious privacy breach involving Grok Build, an AI coding assistant developed by his company xAI. In a rare move, Musk admitted the incident was real and promised to completely erase all user data that had been uploaded to SpaceXAI's servers, leaving "not a single byte." This marks the first time a major AI company has publicly confessed to such a violation and pledged to delete user data.
The Discovery: A Security Researcher's Sting Operation
The controversy began when independent AI security researcher @cereblab decided to test Grok Build's privacy claims. The tool's website explicitly states it is "local-first, code stays on your own computer." But the researcher was skeptical. He created a test repository with fake API keys and database passwords as unique markers, then monitored all data packets sent by Grok Build.
He instructed Grok Build to do nothing but respond with "OK." The AI complied, but then secretly packaged and uploaded all files in the repository, along with the complete modification history, to a Google Cloud storage bucket. A 12GB test repository transmitted 5.1GB of data in 73 packages. The conversation itself used only 192KB of traffic—meaning the leaked data was 27,800 times larger than the actual work performed. Another researcher found that logs recorded 339 automatic uploads, one of which included the entire main directory of the computer.
The Fallout: A Crisis of Trust
The report quickly topped Hacker News and sparked outrage on Reddit. Developers rushed to change their keys, while others uninstalled the tool immediately. Enterprise users were hit hardest—many teams' private repositories and production environment keys had been unknowingly uploaded to unknown servers, with no way to determine what was lost. xAI initially tried to quietly stop the upload behavior without updating the changelog. But the silence couldn't hold, and Grok officially admitted the issue, releasing a command to disable data retention with one click.
Musk's Response: Full Deletion Promised
Elon Musk responded directly, starting with the word "True," acknowledging the leak. He promised that all user data previously uploaded would be completely and thoroughly deleted within 48 hours. However, the damage to trust may be lasting. The incident raises serious questions about AI companies' privacy practices and the gap between marketing promises and actual behavior.
Key Points
- Grok Build secretly uploaded user code to cloud servers, contradicting its "local-first" promise.
- A security researcher exposed the leak using a test repository with fake credentials.
- The leaked data was 27,800 times larger than the actual conversation traffic.
- Elon Musk admitted the breach and promised to delete all historical data within 48 hours.
- The incident has sparked a major trust crisis in the AI industry, especially among enterprise users.