An exposure of DeepSeek chat history, courtesy of a database leak, has raised even more questions about how secure the upstart Chinese app is. The leak appears to contain over a million lines that include chat history and API keys, and a malicious actor that stumbled across it may have had access to even more internal secrets.
It was discovered by security researchers who ethically disclosed it to the company, and the issue was addressed before going public. However, the researchers warn that the database leak was so easy to find with cursory scanning that it is very possible that less ethical parties came across it first.
Chat history exposure among early security struggles for DeepSeek
It’s unclear how damaging the chat history exposure will turn out to be, but it is just one of several recent events that have shaken confidence in the otherwise incredibly successful app. While DeepSeek’s technical performance has turned the AI world on its head, mounting security questions may be its undoing.
A ClickHouse database hosted at deepseek.com appears to be the culprit. The security researchers are sounding warnings as relatively simple scanning would have revealed the database leak, which could be exploited via a web browser. Any malicious attacker would have had a troubling level of access extending well beyond viewing chat history, to potentially include extracting passwords and internal company secrets.
The full scope of damage remains unclear as cybersecurity firm Wiz did not attempt any more malicious actions after discovering the database leak, and due to the breach window remaining unknown (pending some sort of statement from DeepSeek). The Wiz researchers said that chat history entries dating back to January 6 of this year could be found.
Database leak indicative of DeepSeek’s growth issues
DeepSeek has become massively popular due to its performance and relative lightweight requirements, but it’s experiencing some problems with scaling and security. The two issues may well be related, or at least having an influence on each other.
The database leak was discovered as DeepSeek is also dealing with what appears to be an ongoing DDoS attack, one that saw it halt new registrations (at least for users outside of mainland China) for a number of days. Some industry observers think that may have been cover for scaling issues as the app rocketed to the top of the most-downloaded lists.
DeepSeek also faces predictable security concerns along the lines of what TikTok has already been subject to. At this point it appears that chat history is sent to servers in China, which means the government can essentially access it whenever it wants. That has already prompted some bans among individual federal agencies and state governments in the US, with it seemingly only being a matter of time until more widespread action is taken along those lines. In the EU it is already facing investigations by Italy and Ireland’s data protection agencies.
