Tech

SpaceX AI’s Grok tool halted after uploading entire user codebases to cloud storage

Elon Musk confirms deletion of previously uploaded data but urges users to allow retention for debugging, while experts warn of significant privacy risks.

Author
Owen Mercer
Markets and Finance Editor
Published
Draft
Source: The Verge · original
SpaceXAI’s Grok programming tool was uploading its users’ entire codebase to cloud storage
Security researchers at Cereblab expose excessive data retention practices in coding assistant

SpaceX AI’s Grok Build coding tool was discovered uploading users’ complete code repositories to a Google Cloud storage bucket, including deleted secrets and files explicitly instructed to remain closed. The feature was disabled following an investigation by security researchers at Cereblab, who highlighted that the tool retained significantly more data than comparable AI coding assistants such as Claude Code.

Tests conducted by Cereblab on Monday confirmed that SpaceX AI’s servers were returning a “disable_codebase_upload: true” flag, indicating that the automatic upload function had ceased. The researchers noted that the tool was packaging and transmitting entire codebases, capturing sensitive information that had been removed from history or marked for exclusion from analysis.

In response to the incident, Elon Musk posted on X stating that all data previously uploaded by Grok Build would be “completely and utterly deleted.” While asserting that privacy settings are always respected, Musk also requested that users permit data retention to assist with debugging issues, a stance that drew criticism regarding the scope of the collection.

Dr Lukasz Olejnik, an independent security researcher affiliated with King’s College London, described the data retention practices as excessive. He warned that the volume of data potentially at risk included proprietary source code, infrastructure details, credentials, and information regarding security vulnerabilities.

SpaceX AI initially suggested that the `/privacy` command in the command-line interface could disable data retention and remove previously synced information. However, Cereblab clarified that this command functions only as a per-session retention toggle and was not the mechanism that resolved the underlying upload issue.

Continue reading

More from Tech

Read next: Unicode Consortium Unveils Nine New Emoji Designs for 2026 Standard
Read next: Samsung’s 2026 SSD Update Delivers Slower Performance at Higher Prices
Read next: Sony indefinitely delays PlayStation FlexStrike fight stick amid production issues