Chinese AI startup DeepSeek left a database containing sensitive information—including chat history, secret keys, and backend system details—publicly accessible online, cybersecurity firm Wiz reported this week.
While reviewing DeepSeek’s online infrastructure, Wiz discovered that a ClickHouse database had been left publicly accessible with no authentication required, the cybersecurity firm said in findings posted Wednesday.
The database contained more than a million entries, including chat logs, application keys, and internal system metadata. While Wiz confirmed it did not alter the database, it found that commands could be executed—a condition that would allow an attacker to escalate privileges and gain further access to DeepSeek’s systems.
While the issue was a misconfiguration, not a cyberattack, it still left the database publicly exposed and unrestricted.
During its investigation, Wiz identified multiple subdomains linked to DeepSeek. Most hosted standard features like chat interfaces and documentation. However, two non-standard ports led to the exposed ClickHouse database, a system commonly used for real-time data processing and big data analytics.
DeepSeek secured the database after Wiz disclosed the issue, preventing further exposure, the cybersecurity firm said.
“We’ve consistently found significant vulnerabilities and weaknesses with major AI models and technologies. This is yet another which shows that as we rush to leverage this technology, we’re creating a great deal of risk,” Wiz Global Head of Government Affairs Mitch Herckis told The Readable.
Founded in 2023 by Liang Wenfeng, DeepSeek has quickly gained attention for its AI models, particularly the DeepSeek-R1 reasoning model, which rivals leading systems like OpenAI’s ChatGPT. Notably, DeepSeek’s models are open-source, in contrast to the proprietary approaches of many U.S. firms.
The company has drawn scrutiny from U.S. regulators and AI experts, who argue that its rapid rise may be due to “distillation”—a technique that leverages the systems of competing AI models, specifically those from U.S.-based firms. Furthermore, as a China-based firm, DeepSeek is emerging as a U.S. national security concern, particularly given ongoing discussions about a potential dual ownership deal to allow TikTok to operate in the country.
The U.S. Defense Information Systems Agency blocked access to DeepSeek on Tuesday after analysts connected their work computers to Chinese servers to use the company’s chatbot, Bloomberg News reported Wednesday.
The U.S. stock market felt the effects of DeepSeek’s presence this week, with major tech firms like Nvidia — whose hardware underpins many of the world’s leading AI and machine learning companies — dropping by some 17% on Monday.
DeepSeek’s rapid rise has heightened scrutiny of U.S. trade controls aimed at curbing China’s technological ascent. The restrictions, covering a broad range of semiconductor products and fabrication tools, are intended to slow China’s AI and chip industry progress while preventing its military from gaining a strategic technological advantage.
The U.S. Commerce Department is investigating whether DeepSeek acquired advanced Nvidia semiconductors through third parties in Singapore, potentially bypassing export controls, Bloomberg also reported this week.
Related article: U.S. urges allies to strengthen restrictions on Chinese semiconductor technology
The United States reportedly has requested that its allies in Asia and Europe enhance their restrictions on Chinese chip-making technology, according to a report by the Financial Times on April 26.
The British business news organization reported that the U.S. is urging South Korea, Japan, and the Netherlands to “use existing export controls more aggressively.” Specifically, the report highlighted that the U.S. has requested these allied nations to cease their engineers from “servicing chipmaking tools at advanced semiconductor fabs in China.” The report was able to provide these details based on information gathered from five individuals familiar with the matter firsthand.
The Readable reached out to the Ministry of Trade, Industry, and Energy (MOTIE) and requested comment on whether the South Korean government had been urged by the U.S. to comply with this request. However, an official of MOTIE declined to comment, stating that “It is an internal matter.”
On October 7, 2022, the U.S. Bureau of Industry and Security (BIS) implemented new regulations regarding export controls on semiconductors and technology equipment in China. These regulations entail restrictions on U.S. citizens, prohibiting them from developing or producing semiconductors in Chinese firms without a license. Furthermore, the U.S. government stated that semiconductors and computing chips cannot be exported without permission from the U.S. READ MORE