DeepSeek, the Chinese AI startup known for its DeepSeek-R1 LLM model, has publicly exposed two databases containing sensitive user and operational information.

The unsecured ClickHouse instances reportedly held over a million log entries containing user chat history in plaintext form, API keys, backend details, and operational metadata.

Wiz Research discovered this exposure during a security assessment of DeepSeek’s external infrastructure.

The security firm found two publicly accessible database instances at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000 that allowed arbitrary SQL queries via a web interface without requiring authentication.

The databases contained a ‘log_stream’ table that stored sensitive internal logs dating from January 6, 2025, containing:

• user queries to DeepSeek’s chatbot,
• keys used by backend systems to authenticate API calls,
• internal infrastructure and services information, 
• and various operational metadata.

“This level of access posed a critical risk to DeepSeek’s own security and for its end-users,” comments Wiz.

“Not only an attacker could retrieve sensitive logs and actual plaintext chat messages, but they could also potentially exfiltrate plaintext passwords and local files along propriety information directly from the server using queries like: SELECT * FROM file(‘filename’) depending on their ClickHouse configuration.”

Wiz says it could execute more intrusive queries but limited its exploration to enumeration to keep its research within certain ethical constraints.

It is unknown if Wiz’s researchers were the first to discover this exposure or if malicious actors have already taken advantage of the misconfiguration.

In any case, Wiz informed DeepSeek of the matter, and the company promptly addressed the exposure, so the databases are no longer public.

DeepSeek’s security problems

Apart from all the concerns that arise from DeepSeek being a China-based technology company, meaning it has to comply with aggressive data access requests from the country’s government, the company does not appear to have established a solid security stance, placing sensitive data at risk.

The exposure of user prompts is a privacy breach that should be very concerning for organizations using the AI model for sensitive business operations.

Additionally, the exposure of backend details and API keys could give attackers a way into DeepSeek’s internal networks, privilege escalation, and potentially larger-scale breaches.

Earlier this week, the Chinese platform was targeted by persistent cyberattacks, which it appeared unable to thwart, forcing it to suspend new user registrations for nearly 24 hours.