Chinese AI startup DeepSeek recently experienced a significant security breach when one of its databases was left exposed on the internet. The vulnerability, discovered by Wiz security researcher Gal Nagli, revealed a ClickHouse database that granted unauthorized access to sensitive information.

The exposed database contained:
– Over 1 million lines of log streams
– Chat histories
– Secret keys and API credentials
– Backend operational details
– Critical operational metadata

The security flaw, located at oauth2callback.deepseek[.]com:9000 and dev.deepseek[.]com:9000, allowed complete database control without authentication requirements. Users could execute arbitrary SQL queries through ClickHouse’s HTTP interface directly via web browsers.

DeepSeek has since addressed the security vulnerability following notification from Wiz. However, it remains unclear if malicious actors accessed the exposed data before the fix was implemented.

This incident comes amid DeepSeek’s rapid rise in the AI industry, where their R1 reasoning model has gained significant attention. The company has faced several challenges recently:
– Temporary suspension of registrations due to malicious attacks
– Scrutiny over privacy policies
– Questions about Chinese ties raising U.S. national security concerns
– Investigation by Italian and Irish data protection regulators
– Probe by OpenAI and Microsoft regarding potential unauthorized API usage

The breach highlights the critical need for robust security measures in rapidly growing AI companies, particularly regarding data protection and infrastructure security.