Security researchers discovered a major data leak at DeepSeek, the rapidly growing Chinese AI company, exposing over 1 million records including user interactions and internal system data.
Cloud security firm Wiz found an unprotected ClickHouse database containing sensitive information such as user chat prompts, system logs, and API authentication tokens freely accessible on the internet. The database was secured within 30 minutes after researchers attempted to contact DeepSeek through various channels.
"This is a dramatic mistake, because the effort level is very low and the access level that we got is very high," said Ami Luttwak, CTO of Wiz. The exposed database was discovered with minimal scanning effort, suggesting serious security oversights.
The researchers observed that most exposed chat prompts were in Chinese, though other languages may have been present. The database potentially allowed unauthorized access deep into DeepSeek's infrastructure, raising concerns about system security.
This security lapse comes as DeepSeek faces increased global scrutiny. The company's meteoric rise has impacted US-based AI companies' market values and drawn attention from regulators worldwide. Italy's data protection authority has questioned the company's data practices, while the US Navy has warned personnel against using DeepSeek's services.
The incident highlights persistent security challenges in cloud-based technologies. "It's pretty shocking to build an AI model and leave the backdoor wide open from a security perspective," noted independent security researcher Jeremiah Fowler.
DeepSeek has not responded to requests for comment about the exposure. It remains unclear whether malicious actors accessed or downloaded any of the exposed data before the database was secured.
The leak raises questions about DeepSeek's security practices as it continues rapid global expansion. While the company has gained millions of users in recent weeks, this incident may impact user trust and invite further regulatory examination.