The generative AI platform DeepSeek from China has surged in popularity recently, drawing heightened scrutiny amid its rapid ascent. A recent discovery by researchers from Wiz, a cloud security firm, revealed an exposed database containing over 1 million records, including user data, API keys, and system logs accessible on the open internet.
The exposure surfaced as DeepSeek attracted attention from both users and industry competitors. Depending on who accessed the database, it could have severe implications for user privacy and data security. The database was quickly secured and became inaccessible to unauthorized users shortly after Wiz’s team made their findings public. However, it remains unclear if any malicious parties accessed or downloaded this sensitive information before it was secured.
Experts highlighted the glaring security oversight. Ami Luttwak, CTO of Wiz, expressed concern over the poor maturity of the service for handling sensitive data, given the ease of discovering the exposed database. Researchers typically encounter such vulnerabilities only after extensive scanning, but this instance presented itself readily.
The open database was a type of open-source ClickHouse database, usually relied upon for server analytics. The exposed information revealed user prompts and API authentication used in interactions with DeepSeek. Although most prompts were in Chinese, the potential for data in other languages could not be dismissed. The Wiz researchers took minimal steps to assess the database without jeopardizing user privacy, but the depth of access raised speculation about possible lateral movements into other systems within DeepSeek’s infrastructure.
Independent security researcher Jeremiah Fowler noted the risks involved in leaving such sensitive operational data openly accessible on the internet. He pointed out that this incident serves as a significant wake-up call for AI products and services regarding cybersecurity measures.
Amid this fallout, DeepSeek has made a global impact and has been ranked among the top apps on various platforms. Its rise has triggered substantial financial reactions, causing billions in losses for US AI companies. Regulatory attention has also intensified, with agencies interested in the company’s privacy policies, censorship ramifications, and implications of its Chinese ownership on national security. In fact, Italy’s data protection regulator has directly engaged with DeepSeek, asking for clarification on its training data acquisition and usage.
Furthermore, concerns regarding DeepSeek’s security and ethical considerations have led the US Navy to issue warnings against using the service among its personnel. The Navy’s guidance emphasized avoiding the app to mitigate risk.
Despite the excitement surrounding AI, this incident underscores that even advanced technologies are prone to basic security flaws. The exposed data serves as a reminder of the ongoing vulnerabilities in cloud-hosted systems and emphasizes the need for greater cybersecurity diligence as the field of artificial intelligence continues to evolve.
