Cloud security firm Wiz uncovered an unprotected DeepSeek database, giving full control over database operations and access to internal data, including millions of lines of chat logs. While the vulnerability has been quickly fixed, the incident shows the need for the AI industry to enforce higher security standards, says the company.
As Wiz security researcher Gal Nagli explains, Wiz Research found a ClickHouse database linked to DeepSeek that was publicly accessible at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000. The database was open and did not require any authentication, thus exposing a large quantity of data, including chat history, backend data, log streams, API Secrets, and operational details.
More worryingly, says Nagli, the database exposure allowed an attacker to take full control of the database and to gain higher privilege access to parts of the DeepSeek environment.
To discover the exposed database, Nagli carried out a straight reconnaissance procedure to find out what services were open to the internet. This led to the discovery of about 30 accessible domains, including admin.deepseek.com, dev.deepseek.com, and others. He then scanned them for open ports and discovered the unauthenticated ClickHouse instance.
Nagli was able to run arbitrary SQL queries using ClickHouse's Web UI, getting access to a log_stream table with large amounts of sensitive data. Depending on ClickHouse instance configuration, attackers could also exfiltrate plaintext passwords and local files using queries like: SELECT * FROM file('filename').
As mentioned, DeepSeek rapidly fixed the vulnerability upon disclosure by restricting public access and taking the database off the internet. The company has not yet provided any comments about the root cause of the issue. Given that ClickHouse DB defaults to not allowing external connections, as ClickHouse CEO clarified in a message on X, it cannot be ruled out that the Chinese company was the [target of a DOS attack that led to the database configuration being hacked, says another X user.
Besides the obvious privacy and security risk of enabling public unauthorized access to a database, Nagli hints at the larger implications of trusting sensitive and confidential data to AI companies:
As organizations rush to adopt AI tools and services from a growing number of startups and providers, it’s essential to remember that by doing so, we’re entrusting these companies with sensitive data. The rapid pace of adoption often leads to overlooking security, but protecting customer data must remain the top priority.
DeepSeek is a Chinese startup that has recently received huge attention thanks to its DeepSeek-V3 mixture-of-experts LLM and DeepSeek-R1 reasoning model, which rivals OpenAI's o1 in performance but with a much smaller footprint.
ClickHouse is an open-source database management system designed for fast analytical queries on large datasets. Developed by Yandex, it is used for real-time data processing, log storage, and big data analytics.
