A major security lapse at Chinese AI startup DeepSeek left user chat histories, API authentication keys, and system logs publicly accessible without any security protection. Cloud security firm Wiz discovered the open database within minutes, as it required no authentication to access.
The exposed data was stored in ClickHouse, an open-source data management system, containing over one million log lines. According to Wiz, this breach could have allowed bad actors to take full control of the database and potentially escalate privileges within DeepSeek’s internal systems.
After being alerted by Wiz, DeepSeek acted quickly to secure the database. However, it remains uncertain whether anyone else accessed the data before the vulnerability was fixed.
Wiz researchers stated that given how easily the database was found, it would not be surprising if others had already accessed the information.
The security lapse raises concerns over how DeepSeek manages sensitive data and whether similar issues could arise in the future.
Adding to the controversy, Wiz noted that DeepSeek’s system structure closely resembles that of OpenAI, including the format of API keys.
This revelation follows OpenAI’s recent accusation that DeepSeek used its data to train AI models without authorization. The similarities between their systems further fuel suspicions of potential intellectual property misuse.
The incident highlights the risks associated with inadequate cybersecurity measures, especially for AI companies handling large volumes of user data. With the increasing reliance on AI tools, companies must prioritize securing their databases to prevent unauthorized access.
While DeepSeek’s swift action prevented further exposure, the breach serves as a warning about the importance of stronger security protocols. The incident also raises concerns about AI firms operating with minimal transparency, increasing the need for stricter regulations and oversight in the industry.