DeepSeek Database Exposure: A Case Study in AI Security Risks

In a recent discovery, Wiz Research uncovered a significant security vulnerability in a publicly accessible database belonging to DeepSeek, a rising Chinese AI startup known for its DeepSeek-R1 reasoning model. This exposure allowed unrestricted control over database operations, revealing sensitive information and highlighting critical AI security risks that organizations must address.

Unrestricted Access to Sensitive Data

The exposed ClickHouse database contained over a million lines of log streams, including:

• Chat histories
• Secret keys
• Backend infrastructure details
• Operational metadata

This level of access could have allowed malicious actors to exfiltrate plaintext passwords and proprietary information directly from the server. Fortunately, Wiz Research responsibly disclosed the issue, and DeepSeek promptly secured the database.

Initial Reconnaissance

Wiz Research initiated its assessment by mapping DeepSeek’s external attack surface. Using passive and active subdomain discovery techniques, the team identified approximately 30 internet-facing subdomains. While most appeared benign, two unusual open ports (8123 & 9000) raised suspicions.

The ClickHouse Database

Further investigation revealed that these ports led to a publicly exposed ClickHouse database, accessible without any authentication. ClickHouse is a columnar database management system commonly used for real-time data processing, log storage, and big data analytics. The fact that it was exposed to the public internet without any security measures was a huge cloud security risk.

Gaining Control via the HTTP Interface

By leveraging ClickHouse’s HTTP interface, Wiz Research accessed the /play path, enabling direct execution of arbitrary SQL queries via the browser. A simple SHOW TABLES; query revealed a full list of accessible datasets.

Among them, the log_stream table stood out. It contained extensive logs with highly sensitive data, including plaintext chat messages, API keys, and backend details.

Implications of the Exposure

The exposure had serious implications for DeepSeek and its users. An attacker could have:

• Retrieved sensitive logs and chat messages.
• Exfiltrated plaintext passwords.
• Accessed proprietary information.
• Potentially achieved privilege escalation within the DeepSeek environment.

Key Takeaways for AI Security

This incident underscores several critical points:

• Rapid AI adoption without adequate security is inherently risky.
• Basic security risks, like accidental exposure of databases, remain a top priority.
• Organizations must ensure visibility into the architecture, tooling, and models being used by AI providers.

As AI becomes more deeply integrated into businesses, it's essential to enforce security practices on par with those required for public cloud providers and major infrastructure providers.

AI & Cloud Security: A Delicate Balance

Ultimately, this DeepSeek database exposure serves as a crucial reminder about the importance of robust security measures in the age of AI. As organizations increasingly rely on AI-powered solutions, prioritizing security should not be overlooked.

Read The State of AI in the Cloud 2025 to learn more about the broader AI landscape and where DeepSeek stands within it. Also, learn more about cloud detection strategies.