X (Twitter) - Data Breach
Executive Summary
A security researcher discovered that Grok Build, xAI's command-line tool, was uploading users' entire code repositories - including deleted Git history containing secrets, SSH keys, and password databases - to cloud storage, even when explicitly instructed not to access files. After the findings went public, xAI implemented a server-side fix to stop the uploads, and Elon Musk promised all previously collected user data would be deleted. Users without enterprise zero-data-retention enabled we...
What Happened
On July 14, 2026, security researcher Cereblab discovered that Grok Build, xAI's command-line tool, was uploading users' entire code repositories to Google Cloud Storage, including full Git histories with deleted secrets, SSH keys, and password databases. The uploads occurred even when users explicitly instructed the tool not to access files. After the findings became public, xAI implemented a server-side fix by setting a disable_codebase_upload flag to true, which stopped the unauthorized transmissions.
Who Is Affected
All Grok Build users who did not have enterprise-level zero data retention enabled were affected, as their complete repositories and Git histories were uploaded to xAI's cloud storage. Users who stored sensitive materials like SSH keys, password manager databases, and authentication secrets in their directories faced exposure of this data. Enterprise customers with zero data retention policies enabled were not impacted by the data collection.
Why It Matters
This incident demonstrates how AI development tools can silently extract far more user data than competitors or than users reasonably expect, even when given explicit instructions to the contrary. The exposure of deleted Git history is particularly significant because developers often commit secrets accidentally and remove them later, believing the data is gone. The breadth of data collection - entire repositories versus individual files - represents a substantial departure from industry norms established by competing tools like Claude Code and Gemini.
What You Should Do
If you used Grok Build without enterprise zero data retention enabled, run the /privacy command in the CLI immediately to disable data retention and delete previously uploaded data, as recommended by xAI. Review your Git history for any secrets or credentials that may have been included in past commits, even if deleted, and rotate those credentials as a precaution. Consider enabling zero data retention if you are an enterprise customer, or evaluate whether to continue using Grok Build versus alternative tools with more limited data collection practices.
Summary generated from verified sources and reviewed before publication. How we summarize.
Sources