A cybersecurity firm has found an errant public-facing DeepSeek database full of lines that appear to include chat history, among other sensitive internal elements. Though the researchers ethically disclosed the database leak to DeepSeek and it was closed up before being made public, their report notes that it was so easy to find that there is a good chance others were able to get to it first.
Database leak continues a tough first month for DeepSeek’s security record
The database leak appears to be a misconfiguration of a ClickHouse repository to allow for unauthorized HTTP access via arbitrary SQL queries. The issue was discovered via scanning by the cybersecurity firm Wiz, who said that attackers could have taken full control over database operations but that there is no other clear sign of abuse at this time.
That said, the database was hosted at deepseek.com and required only standard scanning of the company’s publicly accessible domains to discover. Therefore, it is very possible that Wiz was not the first on the scene. The database leak is composed of over one million log entries dating from January 6 of this year, including plaintext chat history records and API keys. The researchers did not engage in additional intrusive queries but did note that this access made it possible to extract any local files and plaintext passwords that might be present. An attacker could do all of this via ClickHouse’s HTTP interface, without needing credentials or even particularly advanced knowledge.
The database leak incident comes as DeepSeek is experiencing an amazing period of rapid success, supplanting ChatGPT as the most-downloaded app on some stores, but has also been tripped up by several other security issues in quick succession. One of those is an apparent DDoS attack, which forced the company to bar new registrations for some time.
Leak of chat history strikes another consumer confidence blow
DeepSeek has impressed with its technical capability and resource requirements, performing about as well as its best generative chat rivals while seemingly taking much less in the way of compute power to function. Where the company is vulnerable is in its security record thus far, and the database leak and chat history exposure is another negative entry in the ledger.
Aside from the leak of chat history, the full scope of which is still not entirely clear, the app is also in the realm of TikTok and Temu in raising concerns about what user data is being packed off to China and what access the Chinese government has to it. Individual state governments, such as that of Texas, and individual federal agencies, such as NASA, have already banned the app for employee and official use in recent days. A more widespread federal ban almost seems to be a certainty at this point, but it remains to be seen if the app will be threatened with delisting from app stores in the way that TikTok was.
DeepSeek reportedly cut off access to the database leak within an hour of being notified, but it remains unclear (and essentially impossible to tell) how long it was open before that and who else might have come across it. Aside from whatever might have been in the chat history, prior intruders might have extracted keys, passwords and sensitive information that grant further access to the company’s systems. This could trigger more immediate international regulatory scrutiny of the company; it is already in trouble with Italy’s data protection authority Garante, which has initiated an investigation into how it handles personal data. Garante similarly suspended ChatGPT from the country for a short period for similar reasons in 2023. The app is also under investigation by the Irish Data Protection Commission (DPC).
Leaking chat history is not the only privacy concern; Israeli cybersecurity firm Kela recently published an analysis of DeepSeek in which it noted that old jailbreaking tricks that have long since been patched in other generative AI models still work to remove its safety guidelines. The researchers characterized the Chinese app as “significantly more vulnerable” than its competitors and well behind them in terms of overall security. The researchers were able to induce DeepSeek to attempt to generate malware code as well as provide instructions for things like making explosives and toxins.
DeepSeek’s security concerns are compounded by intimations from OpenAI and Microsoft of IP theft. Security researchers with Microsoft say that they observed individuals affiliated with the app abusing OpenAI’s API to extract large amounts of data in late 2024. OpenAI has alleged that DeepSeek used “distillation” techniques to train its smaller models on the company’s larger ones, a violation of the platform terms of service and a potential violation of IP rights. Neither company has made formal charges as of yet, but both say that they have opened probes into the issue.
It is no longer unusual for breaches to expand in scope weeks and months after the initial reports. Gunter Ollmann, CTO at Cobalt, believes the chat history leak may well be another such incident: “The DeepSeek exposure highlights a critical and recurring issue-organizations, especially those innovating rapidly in AI, often prioritize speed over security. Wiz’s discovery reinforces the importance of proactive security testing, particularly as attack surfaces expand with cloud-based infrastructure and publicly accessible APIs. Given DeepSeek’s recent global recognition and growth in the AI space, the breach could have had a huge impact, significantly affecting businesses and individuals relying on their services, with potential ripple effects across industries. This case underscores why organizations must continuously evaluate the robustness of their defensive controls -not just to meet compliance, but to protect sensitive data and improve their risk posture. Offensive security, including penetration testing and attack surface monitoring, is essential in identifying these open doors before adversaries do. AI-driven platforms like DeepSeek must integrate security testing into their development lifecycle, ensuring rigorous assessments of infrastructure, access controls, and data handling policies. AI may be “new” but the basics of security processes and controls still apply. As AI companies become integral to critical infrastructure, security can’t be an afterthought. The industry needs to adopt a proactive mindset-regular pentesting, red teaming, and continuous attack surface monitoring-to safeguard both intellectual property and customer trust.”
