Guess who left a database wide open, exposing chat logs, API keys, and more? Yup, DeepSeek

China-based AI biz DeepSeek may have developed competitive, cost-efficient generative models, but its cybersecurity chops are another story.

Wiz, a New York-based infosec house, says that shortly after the DeepSeek R1 model gained widespread attention, it began investigating the machine-learning outfit's security posture. What Wiz found is that DeepSeek – which not only develops and distributes trained openly available models but also provides online access to those neural networks in the cloud – did not secure the database infrastructure of those services.

That means conversations with the online DeepSeek chatbot, and more data besides, were accessible from the public internet with no password required.

This database contained a significant volume of chat history, backend data and sensitive information

"Within minutes, we found a publicly accessible ClickHouse database linked to DeepSeek, completely open and unauthenticated, exposing sensitive data," the firm said in an advisory Wednesday. "It was hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000.

"This database contained a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details."

To make matters worse, Wiz said, the exposure allowed for full control of the database and potential privilege escalation within the DeepSeek environment, without any authentication or barrier to external access.

Using ClickHouse's HTTP interface, security researchers were able to hit a /play endpoint and run arbitrary SQL queries from the browser. With the SHOW TABLES; query, they obtained a list of accessible datasets.

One of those tables, log_stream, is said to have contained all sorts of sensitive data within the million-plus log entries.

According to Wiz, this included timestamps, references to API endpoints, people's plaintext chat history, API keys, backend details, and operational metadata, among other things.

The researchers speculate depending on DeepSeek's ClickHouse configuration, an attacker could have potentially retrieved plaintext passwords, local files, and proprietary data simply with the appropriate SQL command – though they did not attempt such actions.

• China's DeepSeek just dropped a free challenger to OpenAI's o1 – here's how to use it on your PC
• DeepSeek isn't done yet with OpenAI – image-maker Janus Pro is gunning for DALL-E 3
• US AI shares battered, bruised, and holding after yesterday's DeepSeek beating
• AI revoir, Lucie: France's answer to ChatGPT paused after faux pas overdrive

"The rapid adoption of AI services without corresponding security is inherently risky," Gal Nagli, a cloud security researcher at Wiz, told El Reg.

"While much of the attention around AI security is focused on futuristic threats, the real dangers often come from basic risks - like the accidental external exposure of databases. Protecting customer data must remain the top priority for security teams, and it is crucial that security teams work closely with AI engineers to safeguard data and prevent exposure."

According to Wiz, DeepSeek promptly fixed the issue when informed about it.

DeepSeek, which offers free web and app, and paid-for API access to its CCP-censored models, did not immediately respond to a request for comment.

Its privacy policy for its online services make it clear it logs and stores full usage information on its servers in China. The Android and iOS app is not available in Italy after the Euro nation's data-protection watchdog started asking pointed questions about the use of people's personal data. Ireland is also said to be investigating.

The biz also upset OpenAI in more ways than one; the US lab famous for scraping the internet for training data believes DeepSeek used OpenAI's GPT models to produce material to train DeepSeek's neural networks. ®