Security researchers at cloud security firm Wiz revealed today that DeepSeek, the Chinese AI startup making headlines for its cost-efficient models, left a database containing millions of user chat logs and API secrets publicly accessible without any authentication requirements.
Why it matters: The exposure of DeepSeek‘s internal database fundamentally challenges the company’s security practices at a crucial moment when it’s gaining prominence in the global AI race and facing increased regulatory scrutiny.
Technical Details: The security flaw centered on an exposed ClickHouse database accessible through two company subdomains:
- No authentication required
- Over 1 million lines of sensitive data
- Plaintext chat histories exposed
Security Impact: The exposed database contained critical information:
- API keys and secrets
- Backend operational details
- Server directory structures
Amit Luttwak, Wiz CTO: Luttwak said, “They took it down in less than an hour. But this was so simple to find, we believe we’re not the only ones who found it.”
Looking Forward: While DeepSeek secured the database within an hour of notification, the incident raises questions about security practices at rapidly growing AI companies.
