6mo ago

DeepSeek exposed internal database containing chat histories and sensitive data

DeepSeek exposed internal database containing chat histories and sensitive data | TechCrunch

Summary

Chinese AI company DeepSeek exposed an unprotected database containing over a million unencrypted chat logs, API keys, and other sensitive data.

Security researchers at Wiz discovered the vulnerability and alerted DeepSeek, which promptly took the database offline.

It's unclear how long the data was exposed or if others accessed it before Wiz.

DeepSeek, which gained viral popularity since its December launch, has not commented.

20 comments

Who tf keeps that kind of sensitive shit unencrypted at rest?
- The kind of company who develops an AI for 4% the cost of everyone else
  
  I don't know, it doesn't feel like a cost thing to me. If even one second of thought was given to security this could have been prevented basically for free.
- It wasn't at rest according to the blog post:
  we found a publicly accessible ClickHouse database linked to DeepSeek, completely open and unauthenticated, exposing sensitive data. It was hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000.
  So probably either a service that was meant to be bound on loopback or a firewall issue.
  I guess that shows how dangerous it is to have something secured by the 'nobody should be able to access this port' method.
- Unprotected and internet accessible?
  Truly a side project
Gee, who could've guessed.
It’s unclear how long the data was exposed or if others accessed it before Wiz.
Long enough, I'm sure.
This is why you always use dummy information if you are asking for programming assistance.
I'm not surprised. It's why I haven't touched it yet.
- Just run it locally
  
  Yeah! Locally! There's no possibility of a backdoor!
  Why would the Chinese do that?

20 comments