DeepSeek’s AI Database Exposed in Major Security Breach

Chinese AI startup DeepSeek, which has gained rapid traction for its open-source AI models, recently left a critical database exposed on the internet, potentially allowing malicious actors to access sensitive internal data. Security researcher Gal Nagli from Wiz discovered that DeepSeek’s ClickHouse database was openly accessible, enabling full control over database operations, including the ability to access confidential data.

The security lapse exposed more than a million lines of log streams, including chat history, secret keys, backend details, API secrets, and other sensitive operational metadata. Wiz reached out to DeepSeek, after which the company quickly addressed the vulnerability and sealed the exposed database. However, it remains unclear whether any unauthorized entities exploited this security flaw before it was patched.

Cybersecurity experts have raised concerns about the rapid expansion of AI services without adequate security measures in place. The exposed database, hosted at oauth2callback.deepseek[.]com:9000 and dev.deepseek[.]com:9000, allowed unauthorized access to DeepSeek’s infrastructure without authentication. Wiz noted that attackers could have executed arbitrary SQL queries using ClickHouse’s HTTP interface, potentially escalating privileges within DeepSeek’s systems.

“The rapid adoption of AI services without corresponding security is inherently risky,” Nagli said in a statement to The Hacker News. “While much of the attention around AI security is focused on futuristic threats, the real dangers often come from basic risks—like the accidental external exposure of databases.” He emphasized that safeguarding customer data must be a top priority and urged security teams to work closely with AI engineers to prevent such lapses.

DeepSeek’s Meteoric Rise and Ongoing Scrutiny

DeepSeek has been making waves in the AI industry with its groundbreaking models, claiming to rival industry leaders like OpenAI while maintaining cost efficiency. Its reasoning model, R1, has been described as “AI’s Sputnik moment,” signaling China’s competitive push in AI innovation. DeepSeek’s chatbot has skyrocketed to the top of app store charts on both Android and iOS in multiple markets. However, its success has also attracted increased scrutiny, including large-scale cyberattacks that forced the company to pause new user registrations.

Adding to its challenges, DeepSeek’s presence in Italy was abruptly halted following an inquiry from the country’s data protection regulator regarding its data handling practices and the origins of its training data. The startup has not confirmed whether the removal of its apps was a direct response to regulatory scrutiny.

Concerns Over DeepSeek’s Ties to China and Potential Data Misuse

DeepSeek’s rapid growth and Chinese affiliation have raised national security concerns, particularly in the United States. Major media outlets, including Bloomberg, The Financial Times, and The Wall Street Journal, have reported that OpenAI and Microsoft are investigating whether DeepSeek improperly used OpenAI’s API to train its models. This method, known as “distillation,” involves extracting knowledge from another AI model’s outputs to enhance a competing model’s capabilities.

An OpenAI spokesperson told The Guardian, “We know that groups in [China] are actively working to use methods, including what’s known as distillation, to try to replicate advanced US AI models.” If such claims are proven, it could lead to legal and regulatory consequences for DeepSeek, potentially impacting its global operations.

As DeepSeek works to patch security vulnerabilities and address regulatory scrutiny, the incident highlights the growing risks associated with AI development—both in terms of cybersecurity and intellectual property concerns. With AI models becoming increasingly powerful, ensuring data protection and ethical AI practices will be crucial for companies operating in this highly competitive space.

- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

error: Content is protected !!

Sign Up for CXO Digital Pulse Newsletters

Sign Up for CXO Digital Pulse Newsletters to Download the Research Report

Sign Up for CXO Digital Pulse Newsletters to Download the Coffee Table Book

Sign Up for CXO Digital Pulse Newsletters to Download the Vision 2023 Research Report

Download 8 Key Insights for Manufacturing for 2023 Report

Sign Up for CISO Handbook 2023

Download India’s Cybersecurity Outlook 2023 Report

Unlock Exclusive Insights: Access the article

Download CIO VISION 2024 Report

Share your details to download the report

Share your details to download the CISO Handbook 2024

Fill your details to Watch