xAI Grok Build AI Tool Uploaded Entire Private Repositories and Secrets to Cloud Storage

Thumbnail Image

The information displayed in the AIM should not be reported as representing the official views of the OECD or of its member countries.

xAI's Grok Build AI coding tool was found to upload entire Git repositories, including full commit histories and unredacted secrets, to Google Cloud storage without user consent—even when instructed not to access certain files. This exposed sensitive data and violated privacy and intellectual property rights, prompting xAI to disable the feature.[AI generated]

Why's our monitor labelling this an incident or hazard?

The AI system (Grok Build) is explicitly involved as it is the tool uploading code repositories. The incident stems from the AI system's use and malfunction in handling user data improperly, uploading far more data than necessary, including sensitive and confidential information, without clear user consent. This constitutes a violation of intellectual property rights and user privacy, which are protected under applicable laws and fundamental rights. The harm is realized as users' code and sensitive data were uploaded without proper disclosure or consent, constituting an AI Incident under the framework's criteria for violations of rights and harm to property.[AI generated]
AI principles
Privacy & data governanceTransparency & explainability

Industries
IT infrastructure and hostingDigital security

Affected stakeholders
ConsumersBusiness

Harm types
Human or fundamental rightsEconomic/PropertyReputational

Severity
AI incident

Business function:
Research and development

AI system task:
Content generation


Articles about this incident or hazard