Researchers Uncover Exposed DeepSeek Database Leaking Sensitive Data!

Researchers from leading cloud security company Wiz have published it's findings following the discovery of a publicly accessible database belonging to DeepSeek. The critical database allowed full control over operations, including access to internal data. This exposure included over a million lines of log streams containing highly sensitive information. Wiz disclosed it's findings to DeepSeek, who promptly secured the database.

DeepSeek, a Chinese AI startup, has gained significant media attention for its cutting-edge AI models, particularly the DeepSeek-R1 reasoning model. This model competes with leading AI systems such as OpenAI’s o1 in terms of performance while also being cost-effective and efficient.

As DeepSeek’s prominence in AI grew, the Wiz Research team assessed its external security posture to identify potential vulnerabilities. Within minutes, we discovered a publicly accessible ClickHouse database, completely open and unauthenticated, exposing sensitive data. It was hosted at:

• oauth2callback.deepseek.com:9000
• dev.deepseek.com:9000

This database contained vast amounts of chat history, backend data, and sensitive information, including log streams, API secrets, and operational details. More critically, the exposure allowed full database control and potential privilege escalation within the DeepSeek environment without any authentication or defense mechanism.

Wiz Investigation

The Wiz investigation began with an assessment of DeepSeek’s publicly accessible domains. By mapping the external attack surface using passive and active discovery techniques, Wiz identified approximately 30 internet-facing subdomains. Most of these hosted benign elements such as chatbot interfaces, status pages, and API documentation.

However, further examination beyond standard HTTP ports (80/443) revealed two unusual, open ports (8123 & 9000) on the following hosts:

• https://oauth2callback.deepseek.com:8123
• https://dev.deepseek.com:8123
• https://oauth2callback.deepseek.com:9000
• https://dev.deepseek.com:9000

These ports led to a publicly exposed ClickHouse database, accessible without any authentication—an immediate red flag.

Understanding ClickHouse and Its Implications

ClickHouse is an open-source, columnar database management system designed for high-speed analytical queries on large datasets. Developed by Yandex, it is widely used for real-time data processing, log storage, and big data analytics. Given its capabilities, an exposed ClickHouse database presents a serious security risk.

Using ClickHouse’s HTTP interface, Wiz accessed the /play path, which allowed direct execution of arbitrary SQL queries via a web browser. A simple SHOW TABLES; query returned a full list of accessible datasets.

Sensitive Data Exposure

One table, log_stream, contained over one million log entries, including:

• timestamp – Logs dating from January 6, 2025
• span_name – References to various internal DeepSeek API endpoints
• string.values – Plaintext logs including chat history, API keys, backend details, and operational metadata
• _service – Indicating which DeepSeek service generated the logs
• _source – Exposing the origin of log requests, containing chat history, API keys, directory structures, and chatbot metadata logs

This level of access posed a critical risk to DeepSeek’s security and its end-users. Not only could an attacker retrieve sensitive logs and plaintext chat messages, but they could also potentially exfiltrate plaintext passwords and proprietary information directly from the server.

Wiz Key Takeaways

The rapid adoption of AI services without corresponding security measures introduces significant risks. This exposure highlights that immediate security threats to AI applications stem from the underlying infrastructure rather than futuristic AI-driven attacks.

Key lessons from this incident include:

• Infrastructure security remains a priority: Many AI companies focus on model performance while overlooking basic security controls, such as access management and database authentication.
• Data security should not be an afterthought: Organizations adopting AI tools must prioritize data protection, as AI applications often handle sensitive user information.
• Security teams must collaborate with AI engineers: Ensuring visibility into the architecture, tools, and models used is crucial for safeguarding data and preventing exposure.

Conclusion

AI adoption is occurring at an unprecedented pace, with many AI companies evolving into critical infrastructure providers without adequate security frameworks. As AI becomes deeply integrated into businesses worldwide, the industry must recognize the risks of handling sensitive data and enforce security practices equivalent to those required for public cloud providers and major infrastructure providers.

Read the complete Wiz report here