Chinese AI firm DeepSeek recently secured a critical back-end database vulnerability that inadvertently exposed millions of sensitive records, including private user chat histories and API keys, to the public internet. The data, which remained entirely unencrypted, was accessible to anyone with the database URL due to a complete lack of password protection.
Discovery and Immediate Response
Security researchers at cloud infrastructure firm Wiz identified the unsecured database and promptly alerted the company. DeepSeek took the server offline shortly after the notification to mitigate the breach.
According to reports from Wired, the exposed logs primarily contained user prompts and responses in Chinese. While the data was easily translatable, the full extent of the exposure remains unclear. It is currently unknown how long the database was left open or if unauthorized third parties accessed the sensitive information prior to the discovery by Wiz researchers.
The Risks of Misconfigured Infrastructure
The incident highlights the ongoing challenge of securing rapidly scaling AI platforms. While there is no evidence of malicious intent, human error in database configuration remains a primary driver of such leaks. DeepSeek has experienced a massive surge in user adoption and viral popularity since its public debut in December, increasing the potential impact of backend vulnerabilities.
Silence from DeepSeek
Despite the severity of the data exposure, DeepSeek has not provided an official statement or responded to requests for comment regarding the incident or potential impacts on its user base.