Researchers at Wiz Research have uncovered a leak of DeepSeek’s database, which includes chat histories, private keys, backend details, and other sensitive information. This was reported on the company’s blog.
Following the commotion surrounding the Chinese startup, Wiz Research experts conducted a security analysis for potential vulnerabilities. Within minutes, analysts discovered an open ClickHouse database linked to DeepSeek. It required no authentication, granting access to confidential information.
The vulnerability allowed full control over the database and privilege escalation within the DeepSeek environment without a protection mechanism.
The security gaps were identified through the search and analysis of subdomains. Initially, Wiz Research found about 30 accessible online. Most posed no significant risk. By extending the search beyond standard HTTP ports (80/443), two unusual open gateways (8123 and 9000) were discovered, leading to the open ClickHouse database.
ClickHouse is a columnar database management system. It was developed by Yandex in 2016 and is now an open-source project.
The Wiz Research team reported the issue to DeepSeek, and the startup promptly resolved it.
Earlier, the Chinese company was suspected of data theft from OpenAI, and an investigation is underway.