Logo
FrontierNews.ai

Grok's Coding Tool Was Secretly Uploading Your Entire Codebase to the Cloud

SpaceXAI's Grok Build, an AI coding assistant, was uploading users' entire codebases to Google Cloud storage before researchers discovered the practice and the company disabled the feature. Security researchers at Cereblab published findings on July 14, 2026, revealing that the Grok Build command-line interface (CLI) was packaging and uploading complete code repositories, including files the tool was instructed not to access and secrets that had been deleted from version history.

What Data Was Being Uploaded Without Users' Knowledge?

The scope of the data exposure was significant. According to independent security researcher Dr. Lukasz Olejnik at King's College London, the amount of data retention was "excessive." The potentially at-risk information included proprietary source code, details about security vulnerabilities, personal data, infrastructure information, and credentials. This level of data collection far exceeded what similar tools like Claude Code from Anthropic were retaining.

Cereblab's tests showed that as of July 14, SpaceXAI's servers began returning a "disable_codebase_upload: true" flag, and the codebase upload feature "no longer fires," indicating the company had disabled the problematic behavior after the security issue was reported.

How Did SpaceXAI Respond to the Privacy Breach?

Elon Musk responded to the incident through posts on X, stating that all data Grok Build had previously uploaded would be "completely and utterly deleted." In a separate message, Musk claimed that "privacy settings are always respected," but he also asked users to allow SpaceXAI to retain their data, arguing it would be "helpful for debugging issues".

Elon Musk

However, SpaceXAI's initial response to the security researchers contained misleading guidance. The company suggested that users could disable data retention using a "/privacy command" in the CLI, claiming this would also delete previously synced data. Cereblab researchers pointed out a critical flaw in this explanation: the "/privacy command" is only a per-session retention toggle, not the actual control that fixed the underlying issue, so it should not have been presented as the solution.

Steps to Protect Your Code If You Used Grok Build

  • Review Your Data Exposure: If you used Grok Build before July 14, 2026, assume your codebase may have been uploaded to Google Cloud. Identify any sensitive information that was in your repositories, including API keys, database credentials, or proprietary algorithms.
  • Rotate Your Credentials: Change any passwords, API keys, tokens, or other authentication credentials that may have been exposed in your uploaded code repositories. This includes cloud service credentials, database access tokens, and third-party service keys.
  • Monitor for Unauthorized Access: Watch your cloud storage accounts, version control systems, and infrastructure for any signs of unauthorized access or suspicious activity that could indicate your exposed code was accessed by malicious actors.
  • Verify Data Deletion: Contact SpaceXAI directly to confirm that your previously uploaded data has been completely deleted from their Google Cloud storage, and request written confirmation of the deletion.

The incident raises broader questions about how AI coding tools handle sensitive developer data. Unlike some competitors, Grok Build was uploading entire repositories without requiring explicit, informed consent from users. The fact that researchers had to discover this behavior, rather than the company proactively disclosing it, suggests the feature was not prominently documented in user-facing privacy settings or terms of service.

"This amount of data retention is excessive," confirmed Dr. Lukasz Olejnik, an independent security researcher at King's College London, noting that the data potentially at risk could include "proprietary source code, information about security vulnerabilities, personal data, infrastructure details, and credentials."

Dr. Lukasz Olejnik, Independent Security Researcher at King's College London

The Grok Build incident underscores a critical tension in AI-powered developer tools. These systems often claim to need access to your entire codebase to provide better suggestions and debugging assistance. However, this convenience comes at a privacy cost that many developers may not fully understand when they first enable the tool. The discovery that Grok Build was uploading data beyond what users explicitly authorized suggests that AI companies need clearer, more granular controls over what information gets sent to cloud servers.

For developers considering AI coding assistants, this incident serves as a reminder to carefully review privacy policies and data retention settings before connecting these tools to your repositories. The fact that SpaceXAI disabled the feature after being caught, rather than defending it as necessary, indicates that the company itself recognized the practice crossed a line with user expectations around data handling.