China-based AI platform DeepSeek has rapidly gained global attention, skyrocketing in popularity while putting pressure on U.S.-based AI companies. However, with increased scrutiny, a major security lapse has been uncovered—researchers found a publicly exposed database containing over 1 million records, including user data and API keys.
According to cloud security firm Wiz, DeepSeek left an unsecured database open to the internet, leaking system logs, user-submitted prompts, and sensitive authentication tokens. The vulnerability was so easy to find that Wiz researchers stumbled upon it almost immediately, requiring minimal scanning.
“This is a dramatic mistake,” said Ami Luttwak, CTO of Wiz. “The effort required to secure this database was minimal, yet the level of access available was extremely high. This shows that DeepSeek is not mature enough to be trusted with sensitive data.”
Failed Security Protocols
Wiz researchers tried to contact DeepSeek, sending messages to every email address and LinkedIn profile they could find. While DeepSeek did not respond, the database was abruptly locked down within 30 minutes of the contact attempts. However, it remains unclear whether malicious actors accessed the data before it was secured.
Independent cybersecurity expert Jeremiah Fowler warned that this type of security lapse is a “major risk” for both users and the organization itself. “Building an AI model and leaving a backdoor wide open is shocking from a security perspective,” he said.
Wiz researchers noted that DeepSeek’s API structure, authentication methods, and system design closely mimic OpenAI’s infrastructure. This similarity raises speculation that DeepSeek may have leveraged OpenAI’s outputs to train its models. OpenAI has since confirmed that it is investigating these claims.
DeepSeek’s Chinese ownership has attracted global regulatory scrutiny. Italy’s data protection authority has demanded clarifications on how DeepSeek collects and processes user data, with the app reportedly becoming unavailable in Italy shortly after.
Additionally, the U.S. Navy issued an internal warning last week, advising personnel not to download or use DeepSeek due to potential “security and ethical concerns.”
Despite DeepSeek’s technological advancements, this security failure highlights an ongoing issue in cloud-hosted AI systems—basic security misconfigurations exposing sensitive data.
“AI is the new frontier in tech and cybersecurity,” said Wiz’s Nir Ohfeld, “yet we’re still seeing the same old vulnerabilities—databases left open for anyone to access.”
As DeepSeek continues its rapid expansion, the question remains: Can it balance innovation with security, or is it destined for a privacy disaster?
