Cybersecurity Company: DeepSeek Sensitive Data Exposed Online

On Wednesday, January 29th, the New York-based cybersecurity company Wiz revealed that a large amount of sensitive data from the Chinese artificial intelligence startup DeepSeek had inadvertently been exposed on the open internet.

In a blog post published on Wednesday, Wiz stated that as DeepSeek made waves in the AI field, their research team took the initiative to assess its external security posture and identify any potential vulnerabilities. Within minutes, Wiz found an openly accessible ClickHouse database linked to DeepSeek, completely open and without any authentication, exposing sensitive data.

According to Wiz, this database contained a vast amount of chat logs, backend data, and sensitive information, including log streams, API secrets, and operational details.

Furthermore, Wiz mentioned that this exposure allowed for complete control of the database, potentially enabling privilege escalation within the DeepSeek environment without any authentication or external access barriers.

This means that individuals could access conversations with the online DeepSeek chatbot and more data from the public internet without needing a password.

Wiz stated that a scan of DeepSeek’s infrastructure revealed over a million unprotected rows of data inadvertently left behind by the company. This data included digital software keys and chat records that seemingly documented prompts sent by users to the company’s free AI assistant.

Ami Luttwak, the Chief Technology Officer of Wiz, mentioned that DeepSeek swiftly addressed the issue after being alerted by Wiz. “They deleted it in less than an hour,” Luttwak said, “but this data was easily discoverable, and we believe we were not the only ones to find it.”

Last week, DeepSeek introduced a free AI assistant. Due to its affordability, this Monday, DeepSeek’s application surpassed its US competitor, ChatGPT, in downloads on the Apple Store, triggering a sell-off in tech stocks.

On Tuesday, the Italian regulatory authority, Garante, expressed the desire to understand what personal data DeepSeek collects, where it sources the data from, the purposes of collection, the legal bases, whether the data is stored in China, and other information. They gave DeepSeek and its affiliates 20 days to respond.

On Tuesday, the Australian Minister for Industry and Technology, Ed Husic, voiced concerns about DeepSeek’s data privacy practices and urged Australian users to exercise caution when downloading.

Speaking to ABC Australia, Husic said, “There are many questions about quality, consumer preferences, data, and privacy management that need timely answers. I will be very cautious about this. Such issues need careful consideration.” He noted differences between Chinese companies and Western competitors in terms of user privacy and data management.

On Wednesday, the Irish regulatory authority also stated in a release that the Data Protection Commission (DPC) had written to DeepSeek requesting information about data processing concerning data subjects in Ireland.