DeepSeek report raises serious doubts about its security

Chinese startup DeepSeek caught a lot of people off guard with the sudden emergence of its R1 AI model. Capable of going toe-to-toe with rivals like OpenAI’s ChatGPT and Meta’s Llama, yet trained at a fraction of the cost, it became the talk of the town and quickly jumped to number one in the top free apps in the Apple App Store in the US (#10 in the Play Store). Shortly after its meteoric rise in popularity, it was hit by a large-scale cyberattack. After an investigation into the company’s cybersecurity, it’s kind of surprising a cyberattack didn’t happen sooner.

Wiz, a cloud security software company, has published a new report about what its research team found while investigating DeepSeek’s external security posture. According to the report, it appears DeepSeek is not nearly as secure as it should be.

The research team claims it was able to find a publicly accessible ClickHouse database connected to DeepSeek within minutes of looking. This database was reportedly “completely open and unauthenticated” at the time of discovery. The security flaw is said to have exposed all kinds of sensitive data like chat history, backend data, API secrets, log streams, and operational details.

More worrisome, Wiz says that:

The exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defense mechanism to the outside world.

Wiz states that these issues not only put users at risk, but also put DeepSeek’s own security at risk. For example, an attacker could steal sensitive logs and chat messages while also taking passwords and local files related to proprietary information.

In short, DeepSeek has some serious security issues it needs to iron out. The good news is if you don’t feel comfortable using DeepSeek, there are plenty of alternatives to turn to.