Full Report
China-based DeepSeek has exploded in popularity, drawing greater scrutiny. Case in point: Security researchers found more than 1 million records, including user data and API keys, in an open database.
Analysis Summary
# Incident Report: Exposure of DeepSeek Database
## Executive Summary
Researchers from Wiz discovered a critical, publicly accessible database belonging to the AI platform DeepSeek, exposing over 1 million records including user prompts and API authentication tokens. This exposure was caused by an extremely low-effort configuration error, indicating severe security maturity issues. The database was secured within thirty minutes of the researchers mass-contacting company personnel.
## Incident Details
- Discovery Date: Wednesday (Date not specified, contemporaneous with publication)
- Incident Date: Pre-Discovery (Exact start unknown, but implied recent)
- Affected Organization: DeepSeek
- Sector: Artificial Intelligence / Generative AI Platform
- Geography: China-based Platform (Global service)
## Timeline of Events
### Initial Access
- Date/Time: Undetermined, discovered on Wednesday.
- Vector: Direct internet exposure of a database.
- Details: A ClickHouse database, seemingly used for server analytics, was found open to the entire internet with minimal scanning required.
### Lateral Movement
- Details: Not confirmed as executed by researchers, but speculated by security experts that an attacker using the exposed API tokens could have leveraged this deep access to move laterally into other DeepSeek systems or execute code.
### Data Exfiltration/Impact
- Details: System logs, user prompt submissions (mostly in Chinese), and users’ API authentication tokens were exposed, totaling more than 1 million records. It is unknown if malicious actors accessed the data before discovery.
### Detection & Response
- **Detection:** Discovered by researchers from Wiz Cloud Security on Wednesday.
- **Response:** Researchers sent mass contact attempts to all available DeepSeek email addresses and LinkedIn profiles. Within approximately 30 minutes of this contact attempt, the exposed database was locked down and became inaccessible.
## Attack Methodology
- **Initial Access:** Misconfiguration (Direct internet exposure of a core database).
- **Persistence:** N/A (Incident was an exposure, not an active intrusion by the reporting party).
- **Privilege Escalation:** API authentication tokens were exposed, which could theoretically be used for privilege escalation if accessed by an attacker.
- **Defense Evasion:** The exposure appears to have bypassed standard security controls due to being "at the front door" of the infrastructure.
- **Credential Access:** API authentication tokens were directly exposed in the database.
- **Discovery:** Minimal scanning by researchers was required to confirm the exposure.
- **Lateral Movement:** Potential for attackers to move laterally due to exposure of system logs and tokens.
- **Collection:** System logs, user interactions (prompts), and authentication tokens were collected by the researchers to confirm the scope.
- **Exfiltration:** Potential for data exfiltration to any internet user who found the database before it was secured.
- **Impact:** High-risk data exposure and potential downstream impact on user trust and regulatory scrutiny.
## Impact Assessment
- **Financial:** Not disclosed, but significant market shockwaves already occurred affecting US AI competitors.
- **Data Breach:** Over 1 million records leaked, including sensitive operational data (logs, prompts) and highly sensitive authentication data (API tokens).
- **Operational:** Immediate lockdown of the database occurred following researcher contact. The incident highlights significant operational security maturity gaps.
- **Reputational:** Significant negative international scrutiny regarding security, data handling, and regulatory compliance (e.g., questions from Italy's regulator, US Navy warning).
## Indicators of Compromise
*Note: Details are based on the nature of the exposed data, not direct threat intelligence reporting.*
- **Network indicators:** Unsecured publicly facing ClickHouse database endpoints.
- **File indicators:** System logs, user prompt text files, API key listings.
- **Behavioral indicators:** Initial access was achieved with minimal technical difficulty, indicating a "zero-effort" vulnerability discovery path.
## Response Actions
- **Containment measures:** The Wiz researchers confirmed the database was secured/locked down within 30 minutes of contacting DeepSeek staff.
- **Eradication steps:** Not detailed, but presumably involved closing the public access endpoint, rotating exposed API keys, and auditing database configurations.
- **Recovery actions:** Unspecified, but required a full internal review of cloud configuration management.
## Lessons Learned
- The importance of stringent cloud security hygiene, even for rapidly scaling platforms, as the "bare minimum" technical mistakes (open databases) result in high-level access.
- The incident highlights the immaturity of security practices relative to the rapid deployment of the service.
- Security oversight must keep pace with product deployment velocity, as the exposure was immediately accessible ("at the front door").
## Recommendations
- Implement automated, continuous scanning of all cloud assets for publicly exposed storage and database services.
- Mandate comprehensive security reviews and configuration checks prior to any external deployment of services handling user data or authentication credentials.
- Establish clear, redundant, and tested channels for receiving coordinated vulnerability disclosures, as mass contact proved effective but was not an ideal primary method.
- Immediately audit and rotate all API authentication tokens discovered as exposed.