DeepSeek, a Chinese AI startup, faced a major security lapse as its database was found completely open, exposing sensitive user information. Security researchers at Wiz discovered the issue within minutes, revealing that the database contained user chat histories, API authentication keys, and system logs, all accessible without any authentication.
The exposed data was stored in ClickHouse, an open-source data management system, and included over a million log entries. According to Wiz, this security flaw could have allowed hackers to gain full control over the database and potentially access DeepSeek’s internal systems.
After being notified by Wiz, DeepSeek quickly secured the database to prevent further exposure. However, it remains unclear whether anyone else accessed the data before the issue was resolved. Researchers noted that the ease of discovering the vulnerability made it highly likely that others may have come across it as well.
This discovery raises concerns about DeepSeek’s security measures, especially as it closely follows allegations by OpenAI. Earlier this week, OpenAI accused DeepSeek of using its data to train AI models, further intensifying scrutiny on the company. Wiz researchers also pointed out similarities between DeepSeek’s system architecture and OpenAI’s, including the format of API keys, which adds to concerns about potential data misuse.
The breach highlights the risks associated with AI companies handling vast amounts of sensitive user data. Proper security protocols, such as authentication controls and encryption, are essential to protect user information. This incident serves as a reminder of the importance of robust cybersecurity in the rapidly evolving AI industry.
