DeepSeek’s rapid rise has brought more than market attention. Researchers from the cloud security firm Wiz found that one of the Chinese generative artificial intelligence platform’s critical databases was exposed on the internet, revealing operational and user data at a moment when the service was already under intense scrutiny.
The exposed database contained more than 1 million records, according to Wiz’s findings. The material included system logs, user prompt submissions and users’ API authentication tokens, making the incident a significant AI security issue for a company that has quickly attracted global interest.
What Wiz Found
Wiz researchers said the exposed resource appeared to be a ClickHouse database, an open source database commonly used for server analytics. The information visible inside it matched that purpose: logs showed routes or paths users had taken through DeepSeek’s systems, along with prompts, other service interactions and API keys used for authentication.
The prompts the researchers saw were all in Chinese. They also said the database may have contained prompts in other languages, though the source does not confirm that it did.
The researchers said they limited their review to the minimum needed to confirm the exposure without unnecessarily compromising user privacy. Even so, they suggested that the level of access may have created broader risk, including the possibility that a malicious actor could move laterally into other DeepSeek systems and execute code in other parts of the company’s infrastructure.
Ami Luttwak, the CTO of Wiz, described the issue as severe because the database was easy to reach while exposing highly sensitive access. He told WIRED, "The fact that mistakes happen is correct, but this is a dramatic mistake, because the effort level is very low and the access level that we got is very high." He added, "I would say that it means that the service is not mature to be used with any sensitive data at all."
How Quickly The Exposure Was Closed
DeepSeek did not immediately respond to WIRED’s request for comment. The company was described as relatively new and difficult for press and other organizations to reach during the week of the report.
Wiz researchers said they were unsure how to disclose the finding to DeepSeek. They sent information about the discovery on Wednesday to every DeepSeek email address and LinkedIn profile they could find or guess. They had not received a reply, but the database became inaccessible to unauthorized users within a half hour of that outreach attempt.
That quick lockdown resolved the immediate public exposure. It did not answer a key question: whether malicious actors or other unauthorized parties had already accessed or downloaded any of the data. The Wiz researchers said they did not know whether anyone else had found the database before them.
The ease of discovery is central to the concern. Exposed databases on the open internet are not a new security problem, but Wiz said this one was visible almost immediately with minimal scanning or probing.
Nir Ohfeld, the head of vulnerability research at Wiz, contrasted the case with other exposed systems that can take hours of searching to identify. In this case, he said, "here it was at the front door." He also said the "technical difficulty of this vulnerability is the bare minimum."
Why This Matters For AI Platforms
The incident lands at a sensitive time for DeepSeek. The service had seen millions of people flock to it over the past week, pushing it to the top of Apple’s and Google’s app stores. Its rise generated market pressure for United States–based AI companies and wiped billions from the stock prices of US-based AI companies.
That attention has also brought scrutiny. Sources at OpenAI told the Financial Times on Wednesday that it was looking into DeepSeek’s alleged use of ChatGPT outputs to train its models. Lawmakers and regulators around the world have also begun asking questions about DeepSeek’s privacy policies, the impact of its censorship and whether its Chinese ownership creates national security concerns.
Italy’s data protection regulator sent DeepSeek questions about where it obtained training data, whether people’s personal information was included and the company’s legal basis for using that information. WIRED Italy reported that the DeepSeek app appeared to be unavailable to download in the country after the questions were sent.
Security concerns have extended to the United States military context as well. According to CNBC reporting, the US Navy issued an alert at the end of last week warning personnel not to use DeepSeek’s services "in any capacity." The email told Navy staff not to download, install or use the model, citing concerns about "potential security and ethical" issues.
The Broader Lesson
The database exposure does not depend on any exotic AI-specific failure. It shows that cloud-hosted databases behind advanced AI services can still be undermined by familiar operational mistakes.
Independent security researcher Jeremiah Fowler, who was not involved in the Wiz research but specializes in finding exposed databases, said the incident was alarming because of what could be reached and potentially manipulated. He told WIRED, "It's pretty shocking to build an AI model and leave the backdoor wide open from a security perspective." He added, "This type of operational data and the ability for anyone with an internet connection to access it and then manipulate it is a major risk to the organization and users."
Fowler also said the vulnerable database would have "definitely" been found quickly if it had not already been discovered, whether by researchers or bad actors. His broader view was that the case should serve as a warning for the expanding market of AI products and services.
DeepSeek’s systems also appeared to resemble OpenAI’s, according to researchers who spoke with WIRED. They said the infrastructure seemed similar down to details such as the format of the API keys, possibly to make it easier for new customers to move to DeepSeek.
For users and organizations, the immediate takeaway is straightforward: sensitive information should not be entered into a service until there is confidence in how that service protects operational data, prompts and authentication credentials. As Ohfeld put it, "AI is the new frontier in everything related to technology and cybersecurity," yet the incident still reflected "the same old vulnerabilities like databases left open on the internet."