A cloud security firm found a publicly accessible, fully controllable database belonging to DeepSeek, the Chinese firm that has recently shaken up the AI world, “within minutes” of examining DeepSeek’s security, according to a blog post by Wiz.
An analytical ClickHouse database tied to DeepSeek, “completely open and unauthenticated,” contained more than 1 million instances of “chat history, backend data, and sensitive information, including log streams, API secrets, and operational details,” according to Wiz. An open web interface also allowed for full database control and privilege escalation, with internal API endpoints and keys available through the interface and common URL parameters.
“While much of the attention around AI security is focused on futuristic threats, the real dangers often come from basic risks—like accidental external exposure of databases,” writes Gal Nagli at Wiz’s blog. “As organizations rush to adopt AI tools and services from a growing number of startups and providers, it’s essential to remember that by doing so, we’re entrusting these companies with sensitive data. The rapid pace of adoption often leads to overlooking security, but protecting customer data must remain the top priority.”
Ars has contacted DeepSeek for comment and will update this post with any response. Wiz noted that it did not receive a response from DeepSeek regarding its findings, but after contacting every DeepSeek email and LinkedIn profile Wiz could find on Wednesday, the company protected the databases Wiz had previously accessed within half an hour.
“The fact that mistakes happen is correct, but this is a dramatic mistake, because the effort level is very low and the access level that we got is very high,” Ami Luttwak, CTO of Wiz, said to WIRED. “I would say that it means that the service is not mature to be used with any sensitive data at all.”
DeepSeek’s R1 model, a freely available simulated reasoning model that DeepSeek and some testers believe matches OpenAI’s o1 model in performance, has sparked a blaze of volatility in the tech and AI markets. DeepSeek purportedly runs at a fraction of the cost of o1, at least on DeepSeek’s servers. The seemingly drastically reduced power needed to run and train R1 also rocked power company stock prices. Ars’ Kyle Orland found R1 impressive, given its seemingly sudden arrival and smaller scale, but noted some deficiencies in comparison with OpenAI models.
OpenAI told the Financial Times that it believed DeepSeek had used OpenAI outputs to train its R1 model, in a practice known as distillation. Such training violates OpenAI’s terms of service, and the firm told Ars it would work with the US government to protect its model. In examining DeepSeek’s systems, Wiz researchers told WIRED, they found numerous structural similarities to OpenAI, seemingly so that customers could transition from that firm to DeepSeek.