Researchers from the cloud security firm Wiz revealed findings on Wednesday that show DeepSeek left one of its critical databases exposed on the internet. This lapse leaked system logs, user prompt submissions, and even users’ API authentication tokens to anyone who came across the database. The database contained over 1 million records.
DeepSeek is a relatively new company and has been virtually unreachable by the press and other organizations this week. The company did not immediately respond to requests for comment about the exposure. The Wiz researchers sent information about the discovery to every DeepSeek email address and LinkedIn profile they could find or guess.
Within a half hour of their mass contact attempt, the database was locked down and inaccessible to unauthorized users. It is unclear whether malicious actors or authorized parties accessed or downloaded the data. “The fact that mistakes happen is correct, but this is a dramatic mistake because the effort level is very low and the access level that we got is very high,” Ami Luttwak, the CTO of Wiz, said.
This means that the service is not mature enough to handle sensitive data.
Exposed databases accessible to anyone on the open internet are a longstanding problem that institutions and cloud providers have slowly worked to address. However, the Wiz researchers note that the DeepSeek database they found was visible almost immediately with minimal scanning or probing.
DeepSeek’s database security misstep
“Usually, when we find this kind of exposure, it’s in some neglected service that takes us hours to find—hours of scanning,” says Nir Ohfeld, the head of vulnerability research at Wiz. But this time, “here it was at the front door.” Ohfeld adds that the “technical difficulty of this vulnerability is the bare minimum.”
The researchers said the trove they found appears to have been a ClickHouse database, an open-source database typically used for server analytics. The log files contained users’ routes or paths through DeepSeek’s systems, their prompts and other interactions with the service, and the API keys they had used to authenticate.
The prompts the researchers saw were all in Chinese, but they noted that the database may have contained prompts in other languages as well. The researchers did the minimum assessment needed to confirm their findings without unnecessarily compromising user privacy. They speculate that a malicious actor could have used deep access to the database to move laterally into other DeepSeek systems and execute code in other parts of the company’s infrastructure.
“It’s pretty shocking to build an AI model and leave the backdoor wide open from a security perspective,” says independent security researcher Jeremiah Fowler, who specializes in discovering exposed databases. This type of operational data and the ability for anyone with an internet connection to access it and then manipulate it is a major risk to the organization and users.
DeepSeek’s systems appear to be very similar to OpenAI’s, designed perhaps to make it easier for new customers to use DeepSeek without difficulty. The entire DeepSeek infrastructure appears to mimic OpenAI’s, down to details like the format of the API keys.
The Wiz researchers don’t know if anyone else found the exposed database before they did, but it wouldn’t be surprising, given how simple it was to discover. Fowler also notes that the vulnerable database would have “definitely” been found quickly—if it wasn’t already—by other researchers or bad actors. I think this is a wake-up call for the wave of AI products and services we will see soon and how seriously they take cybersecurity,” he says.
Rashan is a seasoned technology journalist and visionary leader serving as the Editor-in-Chief of DevX.com, a leading online publication focused on software development, programming languages, and emerging technologies. With his deep expertise in the tech industry and her passion for empowering developers, Rashan has transformed DevX.com into a vibrant hub of knowledge and innovation. Reach out to Rashan at [email protected]
