A DeepSeek database left sensitive user data and chat histories completely exposed

DeepSeek, a Chinese AI startup, recently secured a database that had been exposing sensitive user data and system information without any authentication requirements.

Critical security breach: Cloud security firm Wiz discovered an unprotected database containing DeepSeek user information and system data that was freely accessible to anyone.

• The exposed database contained more than 1 million log lines including user chat histories, API authentication keys, and system logs
• The data was stored in ClickHouse, an open-source data management system
• Security researchers found the vulnerable database “within minutes” without needing any authentication

Potential impact: The security flaw could have allowed malicious actors to gain significant control over DeepSeek’s internal systems.

• The exposure enabled full database control and potential privilege escalation within DeepSeek’s environment
• While DeepSeek promptly secured the database after being notified, it remains unclear if any unauthorized parties accessed the data
• Security researchers noted that unauthorized access “wouldn’t be surprising, given how simple it was to discover”

Technical similarities: The incident has revealed interesting connections between DeepSeek’s technical infrastructure and that of industry leader OpenAI.

• Researchers noted that DeepSeek’s systems closely mirror OpenAI’s architecture, including specific details like API key formatting
• This observation comes as OpenAI recently accused DeepSeek of using its data to train AI models

Looking ahead: The incident raises important questions about data security practices among AI startups and the potential risks of architectural mimicry in the AI industry, particularly as companies race to compete with established players like OpenAI.