SpaceXAI wipes customer data after Grok uploads sensitive information
Add Axios as your preferred source to
see more of our stories on Google.

Illustration: Shoshana Gordon/Axios
SpaceXAI says it will delete customer data previously uploaded to its systems after a researcher found that its Grok Build coding assistant was sending entire code repositories to a company-controlled Google Cloud storage bucket.
Why it matters: The tool appeared to upload far more data than was needed to answer coding requests, potentially including proprietary source code, API keys and other sensitive information that customers may not have realized was leaving their computers.
- Developers whose repositories contained API keys, cloud credentials or database passwords now may need to rotate those credentials, since deleting the uploaded data doesn't eliminate the risk that sensitive information was exposed.
Driving the news: A security researcher reported over the weekend that Grok Build was uploading much more of customers' code repositories than was necessary to complete coding tasks.
- Shortly after the findings were published, the uploads appeared to stop without users installing an update, suggesting SpaceXAI had made a change on its end.
- SpaceXAI said Monday that "no trace and code data is ever retained" for customers with zero-data-retention agreements, adding that " we care deeply about your privacy and respect customer choice."
- "As a precautionary measure, all user data that was uploaded to SpaceXAI before now will be completely and utterly deleted. Zero anything whatsoever will remain," SpaceXAI CEO Elon Musk also said on X Monday.
By the numbers: In one test, Grok Build uploaded 5.1 gigabytes of data even though the coding task required just 192 kilobytes — about 26,000 times more data than was needed.
The big picture: SpaceXAI joins Anthropic and other AI companies that have faced questions this year over how customer data is collected, retained and used.
- When Anthropic rolled out Fable 5 and Mythos 5, the company started retaining user data for those models for 30 days to "support our safety work," despite having zero data retention agreements with several enterprise customers.
What to watch: It remains unclear how many SpaceXAI users were affected, which versions of Grok Build uploaded repositories, how long the data was stored, whether it was ever accessed, and how customers can independently verify that it has been deleted.
Go deeper: Open-source AI gets more compute from SpaceX
