Skip to main content

DeepSeek exposed chat history and other sensitive data, show security researchers

In a major security failing, Chinese AI chatbot DeepSeek exposed chat history and other sensitive data in a database accessible without any authentication.

The security researchers who discovered the issue say that the exposure included more than a million lines of log entries, which included chat history and secret keys …

Earlier today we noted that DeepSeek is under investigation in both Europe and the US over privacy and national security concerns. The app – which still sits at the top of Apple’s App Store – has been removed in Italy after the country’s privacy watchdog expressed concerns, a move likely to be repeated in other countries.

In addition to any risks created by the company’s privacy policies and practices, security researchers have discovered a major security flaw. Wiz Research describes what it found.

Wiz Research has identified a publicly accessible ClickHouse database belonging to DeepSeek, which allows full control over database operations, including the ability to access internal data. The exposure includes over a million lines of log streams […]

Within minutes, we found [the database] completely open and unauthenticated, exposing sensitive data [including] a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details.  

The problem was that the company had created a ClickHouse database without any authentication at all.

ClickHouse is an open-source, columnar database management system designed for fast analytical queries on large datasets. It was developed by Yandex and is widely used for real-time data processing, log storage, and big data analytics, which indicates such exposure as a very valuable and sensitive discovery. 

It was in one of these datasets, log_stream, that the sensitive data was found.

Wiz couldn’t find a security contact to notify, so ended up having to spam every email address it could find for the company in order to disclose its findings. DeepSeek did subsequently secure the database.

Photo by Steve Johnson on Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear