DeepSeek’s ClickHouse Database Publicly Exposed Millions of Logs Containing Chats, API Keys

• A critical security flaw in the infrastructure of the Chinese AI startup DeepSeek publicly exposed private data.
• Security research revealed two open ports on specific hosts that connected to a publicly accessible ClickHouse database.
• Chat logs, API keys, and other operational information became available to unauthenticated users.

DeepSeek recently secured a publicly accessible ClickHouse database that granted complete control over database operations to unauthenticated users, exposing sensitive data, including chat histories, API endpoints and keys, backend details, and other operational information. 

The critical security vulnerability in the AI tool infrastructure was responsibly disclosed by cybersecurity firm Wiz Research, according to the report that details the findings.

A routine security assessment that mapped DeepSeek's external attack surface revealed the flaw. The team identified approximately 30 internet-facing subdomains associated with DeepSeek, including elements such as chatbot interfaces, API documentation, and status pages. 

However, a deeper investigation revealed two open ports (8123 and 9000) on specific hosts, which connected to a publicly accessible ClickHouse database without any authentication or form of protection.

The exposed ClickHouse database allowed unrestricted execution of queries. By using the, Wiz researchers conducted a `SHOW TABLES;` query via `/play` path in the ClickHouse HTTP interface, which confirmed access to several sensitive datasets, including a log list with 1 million entries.

The log table featured logs dating back to January 6, 2025, internal references to DeepSeek API endpoints, logs featuring plaintext chat histories, backend details, API keys, and operational metadata.

It also contained indications of which DeepSeek services generated the logs and metadata logs exposing the origin of requests.

This level of access granted attackers the ability not only to extract sensitive logs but also to potentially execute commands retrieving plaintext passwords, local files, and proprietary information directly from DeepSeek's infrastructure, depending on ClickHouse’s configuration.

Potential attackers could exploit the lack of authentication to extract sensitive business-critical data, including plaintext API keys and chat histories containing proprietary or customer information, and escalate privileges within DeepSeek’s environment.

DeepSeek has been attracting global attention due to its advanced AI capabilities, particularly the DeepSeek-R1 reasoning model, which rivals leading platforms like OpenAI's o1 in performance while offering superior cost-efficiency. Recently, European entities inquired whether the Chinese tool’s data processing respects user privacy.