New Delhi: In a major blow to AI privacy and user trust, Elon Musk-backed chatbot Grok, developed by xAI, has exposed over 370,000 user conversations to the open internet through its unsecured "Share" feature, now indexed by search engines like Google, Bing, and DuckDuckGo.

The issue was first reported by Forbes, revealing that shared conversations from Grok, intended for selective distribution, were fully accessible via direct URLs and lacked even the most basic privacy protections, including “noindex” tags to prevent web crawlers from cataloguing them.

Highly sensitive data found in search results

Some of the exposed conversations include highly sensitive or alarming content, ranging from private health discussions and personal login information to even criminal planning and bomb-making instructions. Although the chats appear anonymised, experts warn that contextual clues and user identifiers within conversations could easily be used to trace them back to individuals.

Not the first of its kind

The incident draws parallels with a similar issue faced by OpenAI’s ChatGPT in 2023, when users found that shared chat links had also been indexed by search engines. OpenAI quickly implemented patches to prevent further exposure.

However, in Grok’s case, the vulnerability appears to have gone unnoticed for months, leading to the public indexing of hundreds of thousands of private conversations.

This has triggered backlash on social media and from data privacy advocates, who argue that xAI has failed to implement basic content safety protocols.

Here’s what you can do?

Those who have used the Share feature on Grok are being urged to take immediate action:

  • Stop using the Share button for sensitive chats
  • Locate and delete any previously shared links
  • Use Google’s Content Removal Tool to request removal of indexed pages
  • Share via screenshots instead of links to avoid public exposure.

What xAI needs to fix

Industry experts recommend that Grok and xAI take the following corrective measures:

  • Add clear warnings when content is about to be made public
  • Implement “noindex” tags or expiration timers on all shared URLs
  • Develop a privacy-first content sharing system with opt-in mechanisms
  • Audit existing shared content to remove illegal or sensitive material from public view.