What Happened
Wiz Research found a publicly reachable ClickHouse database belonging to DeepSeek that required no authentication and granted full control over database operations. It held over a million log lines including plaintext chat history, API keys, backend details, and operational metadata. An attacker finding it could have run arbitrary queries and pulled sensitive records straight off the server.
Impact
The exposure risked mass leakage of user conversations and secrets plus potential privilege escalation within DeepSeek's environment. After Wiz disclosed it, DeepSeek locked down the database within about an hour, and there is no confirmation whether others accessed it first.
How to Prevent This
- Require authentication and network restrictions on every database, with no exceptions for internal or dev instances
- Continuously scan public IP space for inadvertently exposed data stores
- Never store secrets, API keys, or chat content in plaintext logs
- Segment infrastructure so a single exposed service cannot yield full operational control
- Enforce infrastructure-as-code review to catch open ports and missing auth before deploy