Chinese AI startup DeepSeek has suffered a major security lapse, exposing a database containing sensitive information, including chat history, secret keys, and backend details. The vulnerability granted unauthorized access to over a million log lines before being fixed. The breach raises concerns about AI security and DeepSeek’s handling of user data, further fueling scrutiny over its data practices and ties to China.
The rise of AI-powered platforms has led to increased cybersecurity threats, and the latest victim is DeepSeek, a fast-growing Chinese AI company. The firm left an unprotected database exposed on the internet, potentially allowing malicious actors to gain access to highly sensitive data.
According to cybersecurity researchers at Wiz, the vulnerability provided full control over database operations, enabling privilege escalation and unauthorized access without authentication. The exposed data included:
• Over a million lines of log history
• Secret API keys
• Backend infrastructure details
• Chat interactions
• Operational metadata
The database was accessible through oauth2callback.deepseek[.]com:9000 and dev.deepseek[.]com:9000, where attackers could execute SQL queries using ClickHouse’s HTTP interface directly from a web browser.
Growing Concerns Over AI Security
DeepSeek has since addressed the security hole following notifications from Wiz researchers. However, it remains unclear whether any bad actors exploited the vulnerability before it was patched.
Gal Nagli, the Wiz researcher who discovered the breach, warned that “the rapid adoption of AI services without corresponding security is inherently risky.” He noted that while discussions about AI security often focus on futuristic threats, real dangers arise from basic lapses such as exposed databases.
Security experts have stressed the need for AI companies to prioritize customer data protection by working closely with engineers to prevent such breaches.
Regulatory and Industry Scrutiny Intensifies
Beyond security concerns, DeepSeek is also under scrutiny for its data handling policies. The company’s rise has drawn regulatory attention, particularly in the U.S. and Europe:
• U.S. National Security Concerns: DeepSeek’s Chinese ties have raised questions in Washington about potential risks associated with foreign AI firms.
• Privacy Investigations in Italy: Italy’s data protection regulator has demanded transparency on DeepSeek’s data collection and training methods. Shortly after, the company’s apps became unavailable in the country.
• Intellectual Property Questions: Reports from Bloomberg and The Financial Times indicate that OpenAI and Microsoft are investigating whether DeepSeek used OpenAI’s API without permission to train its models, a controversial practice known as “distillation.”
An OpenAI spokesperson told The Guardian, “We know that groups in [China] are actively working to use methods, including what’s known as distillation, to try to replicate advanced U.S. AI models.”
What’s Next for DeepSeek?
Despite the controversy, DeepSeek has rapidly gained traction, with its open-source AI models being touted as cost-effective alternatives to major players like OpenAI. Its reasoning model R1 has been described as “AI’s Sputnik moment,” signaling a breakthrough in AI development.
However, the security breach, combined with regulatory scrutiny and potential IP disputes, places the company in a precarious position. Moving forward, how DeepSeek handles security, transparency, and compliance will determine its long-term viability in the competitive AI space.
Source: The Hacker News
