DeepSeek Data Blunder Posed Security and Legal Risks

Wiz, a cybersecurity firm, uncovered significant security vulnerabilities in the DeepSeek infrastructure shortly after the Chinese AI model gained popularity.

Thomas Claburn reports in The Register that DeepSeek failed to secure its database infrastructure adequately. This lapse left sensitive data, including user conversations with DeepSeek’s chatbot, exposed to the public internet without password protection.

Deepseek offers free and paid access to its models, which the Chinese government reportedly censors. The unprotected ClickHouse database contained chat histories, backend data, API secrets, and operational details, posing a severe security risk.

The company’s privacy policy indicates that it logs and stores user data on servers located in China. This has raised concerns among European regulators, leading to the suspension of its app in Italy and an ongoing investigation in Ireland.

Additionally, OpenAI has accused DeepSeek of using its GPT models to train DeepSeek’s neural networks, further complicating the company’s standing in the AI community.

Wiz’s investigation revealed that the exposed database allowed unauthorized users to execute arbitrary SQL queries via ClickHouse’s HTTP interface, providing complete control over the database. This vulnerability enabled access to over a million log entries.

While the researchers did not attempt to retrieve plaintext passwords or proprietary data, they speculated that such data could have been easily accessed depending on the database configuration. Upon notification, DeepSeek promptly addressed the security flaws.

For lawyers, this incident highlights the critical risks associated with adopting AI. Integrating AI services poses a real and immediate threat to basic security oversights.