Cyberside Chats: Cybersecurity Insights from the Experts

Leaked and Loaded: DOGE’s API Key Crisis

Listen Later

On July 13, 2025, a developer at the Department of Government Efficiency—DOGE—accidentally pushed a private xAI API key to GitHub. That key unlocked access to 52 unreleased LLMs, including Grok‑4‑0709, and remained active long after discovery. 

In this episode of Cyberside Chats, we examine how a single leaked credential became a national-level risk—and how it mirrors broader API key exposures at BeyondTrust and across GitHub. LMG Security’s Director of Penetration Testing, Tom Pohl, shares red team insights on how embedded secrets give attackers a foothold—and what CISOs must do now to reduce their exposure. 

 

Key Takeaways: 

  1. Treat leaked API keys like a full-blown incident—whether it’s your code or a vendor’s.

    2.  Monitor for exposure and misuse. Include secrets in IR playbooks—even when it’s third-party code. 

    1. Ask your vendors the hard questions about secrets management.

      2.  Do they rotate keys? Use a secrets manager? How quickly can they revoke? 

      1. Scan your environment for exposed secrets, even if you don’t develop software.

        2.  Look for credentials in cloud configs, automation, scripts, SaaS tools. 

        1. Make sure your penetration testing team searches for secrets as part of their processes.

          2. Secrets can show up in unexpected places—firmware, config files, build artifacts. Your red team or vendor should actively hunt for exposed keys, hardcoded credentials, and reused certs across applications, infrastructure, and third-party tools. 

          1. Train your IT staff and developers to remove secrets from code and automate detection.

            2.  Use GitGuardian, TruffleHog, and a secrets manager like AWS Secrets Manager or HashiCorp Vault. 

            References: 

            • Exposed Secrets, Broken Trust: What the DOGE API Key Leak Teaches Us About Software Security – LMG Security: https://www.LMGsecurity.com/exposed-secrets-broken-trust-what-the-doge-api-key-leak-teaches-us-about-software-security/ 
              • "Private Keys in Public Places”  - DEFCON talk by Tom Pohl, LMG Security: https://www.youtube.com/watch?v=7t_ntuSXniw 
                • DOGE employee leaks private xAI API key from sensitive database – TechRadar: https://www.techradar.com/pro/security/doge-employee-with-sensitive-database-access-leaks-private-xai-api-key 

                  • #DOGEleak #cybersecurity #cybersecurityawareness #ciso #infosec #itsecurity

                  ...more
                  View all episodesView all episodes
                  Download on the App Store
                  Cyberside Chats: Cybersecurity Insights from the ExpertsBy Chatcyberside
                  • 5
                  • 5
                  • 5
                  • 5
                  • 5

                  5

                  2 ratings

                  More shows like Cyberside Chats: Cybersecurity Insights from the Experts

                  View all
                  No Agenda Show by Adam Curry & John C. Dvorak

                  No Agenda Show

                  5,950 Listeners

                  Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec by Jerry Bell and Andrew Kalat

                  Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

                  370 Listeners

                  The DSR Network by The DSR Network

                  The DSR Network

                  1,760 Listeners

                  Conspirituality by Derek Beres, Matthew Remski, Julian Walker

                  Conspirituality

                  2,040 Listeners

                  What Rough Beast by Virginia Heffernan and Stephen Metcalf

                  What Rough Beast

                  61 Listeners